ID: 50370 Updated by: f...@php.net Reported By: nalply at gmail dot com -Status: Open +Status: Closed Bug Type: ODBC related Operating System: Debian Lenny amd64 PHP Version: 5.2.6 New Comment:
Thank you for your bug report. This issue has already been fixed in the latest released version of PHP, which you can download at http://www.php.net/downloads.php Fixed in 5.2.7 - only place to report this would be Debian then. Previous Comments: ------------------------------------------------------------------------ [2009-12-04 09:47:05] freddy77 at gmail dot com PHP 5.2.6 is the problem, in php_odbc_includes.h a len is declared as SDWORD which is only 32-bit while should be 64-bit (SQLLEN). ------------------------------------------------------------------------ [2009-12-03 08:41:30] nalply at gmail dot com The link does not work (it is too long). Use this instead: http://bit.ly/7e028s ------------------------------------------------------------------------ [2009-12-03 08:39:52] nalply at gmail dot com Description: ------------ I have a page which reproducibly overwrites non alloc'd memory (a write of 8 bytes instead of 4 bytes at the end of the range). It is caused by the call odbc_fetch_object() and the bad write in libtdsodbc.so. For more details see: http://serverfault.com/questions/90100/64bit-unixodbc-and-freetds-a-bug-in-libtdsodbc-so, there is a valgrind output. It crashes in the Apache module only. The PHP command line with Suhosin reports a canary mismatch. Note, it is version 5.2.6-1+lenny4, that's what Debian Lenny has installed, and not 5.2.11, because the form forced me to enter this version. I won't upgrade my PHP to a newer version. Take this bug report or leave it. It is not sure whether the bug is in PHP ODBC or in TDS ODBC, so I am going to report this bug thrice: here and there and with Debian. Reproduce code: --------------- #!/usr/bin/php5 <?php $conn = odbc_connect("dsn", "user", "password"); $query = odbc_exec($conn, "SELECT 'alpha' test"); echo "Before odbc_fetch_object(); query=$query\n"; flush(); if ($query) $row = odbc_fetch_object($query); echo "After odbc_fetch_row();\n"; flush(); echo "Result=" . $row->test . "\n"; ?>some static text Expected result: ---------------- Before odbc_fetch_object(); query=Resource id #5 After odbc_fetch_row(); Result=alpha some static text ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'unknown') Actual result: -------------- Before odbc_fetch_object(); query=Resource id #5 After odbc_fetch_row(); Result=alpha some static text ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=50370&edit=1