ID: 17497 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Closed Bug Type: MSSQL related Operating System: Windows 2000 PHP Version: 4.2.1 New Comment:
Fixed in cvs, thanks... Previous Comments: ------------------------------------------------------------------------ [2002-05-28 20:30:16] [EMAIL PROTECTED] I've found a bug in the mssql extension: If magic_quotes_runtime is set every mssql_fetch_* produces a crash of php due to double freed memory. The problem itself is produced in the following code: if (PG(magic_quotes_runtime)) { data = php_addslashes(Z_STRVAL(result->data[result->cur_row][i]), Z_STRLEN(result->data[result->cur_row][i]), &Z_STRLEN(result->data[result->cur_row][i]), 1 TSRMLS_CC); there the string stored in the zval gets freed without destroying the zval itself, so later if the destructor of the the zval gets called (in _free_result) the data is already freed and php crashes with a memory exception. to (quick)fix this just change the function call to data = php_addslashes(Z_STRVAL(result->data[result->cur_row][i]), Z_STRLEN(result->data[result->cur_row][i]), &data_len, 0 TSRMLS_CC); the data_len is there since the length of the passed string doesn't change and if it gets changed by php_addslashes we will get warnings of not 0 terminated strings sometimes. and the last parameter was changed to 0 so php_addslashes doesn't free the memory. regards Dominik del Bondio ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=17497&edit=1