ID: 17497
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Closed
Bug Type: MSSQL related
Operating System: Windows 2000
PHP Version: 4.2.1
New Comment:
Fixed in cvs, thanks...
Previous Comments:
------------------------------------------------------------------------
[2002-05-28 20:30:16] [EMAIL PROTECTED]
I've found a bug in the mssql extension: If magic_quotes_runtime is set
every mssql_fetch_* produces a crash of php due to double freed memory.
The problem itself is produced in the following code:
if (PG(magic_quotes_runtime)) {
data = php_addslashes(Z_STRVAL(result->data[result->cur_row][i]),
Z_STRLEN(result->data[result->cur_row][i]),
&Z_STRLEN(result->data[result->cur_row][i]), 1 TSRMLS_CC);
there the string stored in the zval gets freed without destroying the
zval itself, so later if the destructor of the the zval gets called (in
_free_result) the data is already freed and php crashes with a memory
exception.
to (quick)fix this just change the function call to
data = php_addslashes(Z_STRVAL(result->data[result->cur_row][i]),
Z_STRLEN(result->data[result->cur_row][i]), &data_len, 0 TSRMLS_CC);
the data_len is there since the length of the passed string doesn't
change and if it gets changed by php_addslashes we will get warnings of
not 0 terminated strings sometimes. and the last parameter was changed
to 0 so php_addslashes doesn't free the memory.
regards
Dominik del Bondio
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=17497&edit=1
