From: pumuckel at metropolis dot de Operating system: Linux Gentoo PHP version: 5.3CVS-2008-05-16 (snap) PHP Bug Type: MySQLi related Bug description: Segmentation fault with SELECT ? and UNION
Description: ------------ We experienced some strange behaviour when using "INSERT INTO ... select ? ... union select ? ..." Some bound variables have been inserted, but were truncated somewhere within the strings. We have created a simple test script which only selects and returns the contents we bound. With "SELECT ? UNION SELECT ?" and 2 bound variables we can see, that the contents of the variables are not the same when reading back from db. With the code below we even managed to get a segmentation fault. Reproduce code: --------------- <?php $db = new mysqli($hostname, $username, $password, $dbname); $foo = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; $foo2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; $stmt = $db->prepare("SELECT CAST('x' as CHAR) X UNION SELECT CAST(? AS CHAR(20)) UNION SELECT CAST(? as CHAR(50))"); $stmt->bind_param("ss", $foo, $foo2); $stmt->bind_result($bar); $stmt->execute(); $stmt->fetch(); // first to fetch "foo" echo("F1: $bar vs $foo (".strlen($bar)." vs. ".strlen($foo).")\n"); $stmt->fetch(); // second to fetch $foo echo("F2: $bar vs $foo (".strlen($bar)." vs. ".strlen($foo).")\n"); $stmt->fetch(); // second to fetch casted $foo echo("F3: $bar vs $foo2 (".strlen($bar)." vs. ".strlen($foo2).")\n"); $stmt->free_result(); ?> Expected result: ---------------- Returned variable $bar should contain contents of 'x', $foo, $foo2: F1: x vs 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ (1 vs. 36) F2: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ vs 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ (36 vs. 36) F3: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ vs 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ (36 vs. 36) Actual result: -------------- F1: x vs 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ (1 vs. 36) F2: 0123 vs 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ (4 vs. 36) Segmentation fault With gdb: F1: x vs 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ (1 vs. 36) F2: 0123 vs 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ (4 vs. 36) Program received signal SIGSEGV, Segmentation fault. mysqli_stmt_fetch_libmysql (ht=0, return_value=0x86f9288, return_value_ptr=0x0, this_ptr=0x86f8fb8, return_value_used=0) at /usr/local/src/php5.3-200805151430/ext/mysqli/mysqli_api.c:837 837 if (Z_TYPE_P(stmt->result.vars[i]) == IS_STRING) { (gdb) where #0 mysqli_stmt_fetch_libmysql (ht=0, return_value=0x86f9288, return_value_ptr=0x0, this_ptr=0x86f8fb8, return_value_used=0) at /usr/local/src/php5.3-200805151430/ext/mysqli/mysqli_api.c:837 #1 0x082e92bd in zend_do_fcall_common_helper_SPEC (execute_data=0x8729f38) at /usr/local/src/php5.3-200805151430/Zend/zend_vm_execute.h:194 #2 0x082daa77 in execute (op_array=0x86f843c) at /usr/local/src/php5.3-200805151430/Zend/zend_vm_execute.h:96 #3 0x082ba797 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php5.3-200805151430/Zend/zend.c:1195 #4 0x0826ad8c in php_execute_script (primary_file=0xbfd034f4) at /usr/local/src/php5.3-200805151430/main/main.c:2077 #5 0x083437f6 in main (argc=2, argv=0xbfd03684) at /usr/local/src/php5.3-200805151430/sapi/cli/php_cli.c:1139 -- Edit bug report at http://bugs.php.net/?id=45019&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=45019&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=45019&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=45019&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=45019&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=45019&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=45019&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=45019&r=needscript Try newer version: http://bugs.php.net/fix.php?id=45019&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=45019&r=support Expected behavior: http://bugs.php.net/fix.php?id=45019&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=45019&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=45019&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=45019&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=45019&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=45019&r=dst IIS Stability: http://bugs.php.net/fix.php?id=45019&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=45019&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=45019&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=45019&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=45019&r=mysqlcfg