From: squasar at eternalviper dot net Operating system: * PHP version: 5.1.0RC1 PHP Bug Type: MySQLi related Bug description: new mysqli_stmt() crashes if first parameter is not a valid mysqli_link
Description: ------------ Calling __construct() on mysqli_stmt with an unset variable as the mysqli_link crashes PHP in mysqli_stmt_construct. Note that this is actually 5.1.0RC2 (CVS tag php_5_1_0RC2_PRE). This may affect other MySQLi functions (?). A possible fix, minus a more informative error message is here, but my instinct says there may be more going on behind this than the check in MYSQLI_FETCH_RESOURCE() since passing a literal NULL or similar instead of an undefined variable gives an error message instead of crashing. Index: ext/mysqli/php_mysqli.h ============================================================ ======= RCS file: /repository/php-src/ext/mysqli/php_mysqli.h,v retrieving revision 1.54 diff -u -r1.54 php_mysqli.h --- ext/mysqli/php_mysqli.h 3 Aug 2005 14:07:31 -0000 1.54 +++ ext/mysqli/php_mysqli.h 10 Oct 2005 19:17:35 -0000 @@ -202,7 +202,12 @@ #define MYSQLI_FETCH_RESOURCE(__ptr, __type, __id, __name) \ { \ MYSQLI_RESOURCE *my_res; \ - mysqli_object *intern = (mysqli_object *) zend_object_store_get_object(*(__id) TSRMLS_CC);\ + mysqli_object *intern = NULL; \ + if (Z_TYPE_PP(__id) != IS_OBJECT) {\ + php_error(E_WARNING, "Object parameter invalid"); \ + RETURN_NULL(); \ + } \ + intern = (mysqli_object *) zend_object_store_get_object(*(__id) TSRMLS_CC);\ if (!(my_res = (MYSQLI_RESOURCE *)intern->ptr)) {\ php_error(E_WARNING, "Couldn't fetch %s", intern->zo.ce->name);\ RETURN_NULL();\ Reproduce code: --------------- <?php $s = new mysqli_stmt( $undefined, "SELECT 1 FROM DUAL" ); ?> Expected result: ---------------- Warning: Object parameter invalid in - on line 1 Actual result: -------------- Bus error Thread 0 Crashed: 0 php 0x000c1bb8 zif_mysqli_stmt_construct + 252 (mysqli.c:675) 1 php 0x0020ab88 zend_do_fcall_common_helper_SPEC + 1560 (zend_vm_execute.h:184) 2 php 0x0020a4c4 execute + 520 (zend_vm_execute.h:87) 3 php 0x001e0630 zend_execute_scripts + 444 (zend.c: 1079) 4 php 0x00195334 php_execute_script + 780 (main.c:1679) 5 php 0x002921ac main + 3684 (php_cli.c:1040) 6 php 0x00002b58 _start + 344 (crt.c:272) 7 php 0x000029fc start + 60 -- Edit bug report at http://bugs.php.net/?id=34818&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=34818&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=34818&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=34818&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=34818&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=34818&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=34818&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=34818&r=needscript Try newer version: http://bugs.php.net/fix.php?id=34818&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=34818&r=support Expected behavior: http://bugs.php.net/fix.php?id=34818&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=34818&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=34818&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=34818&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=34818&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=34818&r=dst IIS Stability: http://bugs.php.net/fix.php?id=34818&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=34818&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=34818&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=34818&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=34818&r=mysqlcfg