ID: 45941
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Assigned
Bug Type: MySQLi related
Operating System: Linux 64bit
PHP Version: 5.3CVS-2008-08-28 (CVS)
-Assigned To:
+Assigned To: andrey
Previous Comments:
------------------------------------------------------------------------
[2008-08-28 09:42:58] [EMAIL PROTECTED]
Description:
------------
ext/mysqli/tests/mysqli_stmt_bind_result.phpt crashes.
The invalid write and the crash it causes are reproducible both in ZTS
and non-ZTS modes.
# mysql --version
mysql Ver 14.12 Distrib 5.0.26, for suse-linux-gnu (x86_64) using
readline 5.1
Using ./configure --with-mysqli seems to be enough (i.e. no mysqlnd
used).
Reproduce code:
---------------
See ext/mysqli/tests/mysqli_stmt_bind_result.phpt
Actual result:
--------------
GDB bt:
Program terminated with signal 11, Segmentation fault.
#0 0x00000000006e2027 in mysqli_stmt_fetch_libmysql (ht=1,
return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1,
tsrm_ls=0x18940c0) at
/local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:842
842 if (Z_TYPE_P(stmt->result.vars[i]) ==
IS_STRING) {
(gdb) bt
#0 0x00000000006e2027 in mysqli_stmt_fetch_libmysql (ht=1,
return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1,
tsrm_ls=0x18940c0) at
/local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:842
#1 0x00000000006e2aaa in zif_mysqli_stmt_fetch (ht=1,
return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1, tsrm_ls=0x18940c0)
at /local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:984
#2 0x0000000000d3e3ca in zend_do_fcall_common_helper_SPEC
(execute_data=0x2b7bf7ab3970, tsrm_ls=0x18940c0)
at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:315
#3 0x0000000000d48039 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x2b7bf7ab3970, tsrm_ls=0x18940c0)
at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:1574
#4 0x0000000000d3c7ef in execute (op_array=0x1bf0240,
tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:104
#5 0x0000000000ce945f in zend_execute_scripts (type=8,
tsrm_ls=0x18940c0, retval=0x0, file_count=3) at
/local/qa/5_3.gcov/Zend/zend.c:1197
#6 0x0000000000bff458 in php_execute_script
(primary_file=0x7fffb30af670, tsrm_ls=0x18940c0) at
/local/qa/5_3.gcov/main/main.c:2074
#7 0x0000000000e04d76 in main (argc=61, argv=0x7fffb30af8c8) at
/local/qa/5_3.gcov/sapi/cli/php_cli.c:1130
Valgrind log:
==25793== Invalid write of size 1
==25793== at 0x5CC414: mysqli_stmt_fetch_libmysql
(mysqli_api.c:826)
==25793== by 0x5CCC93: zif_mysqli_stmt_fetch (mysqli_api.c:984)
==25793== by 0x9E374D: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:315)
==25793== by 0x9EA1EE: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1574)
==25793== by 0x9E21FF: execute (zend_vm_execute.h:104)
==25793== by 0x9AD109: zend_execute_scripts (zend.c:1197)
==25793== by 0x90F5E1: php_execute_script (main.c:2074)
==25793== by 0xA618F0: main (php_cli.c:1130)
==25793== Address 0x8b83368 is 0 bytes after a block of size 256
alloc'd
==25793== at 0x4C22DAB: malloc (vg_replace_malloc.c:207)
==25793== by 0x97D83A: _emalloc (zend_alloc.c:2285)
==25793== by 0x5C9EBB: mysqli_stmt_bind_result_do_bind
(mysqli_api.c:407)
==25793== by 0x5CA55C: zif_mysqli_stmt_bind_result
(mysqli_api.c:499)
==25793== by 0x9E374D: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:315)
==25793== by 0x9EA1EE: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1574)
==25793== by 0x9E21FF: execute (zend_vm_execute.h:104)
==25793== by 0x9AD109: zend_execute_scripts (zend.c:1197)
==25793== by 0x90F5E1: php_execute_script (main.c:2074)
==25793== by 0xA618F0: main (php_cli.c:1130)
==25793==
==25793== Invalid read of size 8
==25793== at 0x997C36: _zval_ptr_dtor (zend_execute_API.c:422)
==25793== by 0x9A950A: _zval_ptr_dtor_wrapper
(zend_variables.c:175)
==25793== by 0x9BE947: zend_hash_destroy (zend_hash.c:526)
==25793== by 0x9D8DC3: zend_object_std_dtor (zend_objects.c:45)
==25793== by 0x5C348B: mysqli_objects_free_storage (mysqli.c:212)
==25793== by 0x5C38DD: mysqli_result_free_storage (mysqli.c:288)
==25793== by 0x9DF006: zend_objects_store_del_ref_by_handle_ex
(zend_objects_API.c:215)
==25793== by 0x9DEB5C: zend_objects_store_del_ref
(zend_objects_API.c:171)
==25793== by 0x9A910B: _zval_dtor_func (zend_variables.c:52)
==25793== by 0x99788B: _zval_dtor (zend_variables.h:35)
==25793== by 0x997CE6: _zval_ptr_dtor (zend_execute_API.c:428)
==25793== by 0x9E26A0: zend_leave_helper_SPEC
(zend_vm_execute.h:157)
==25793== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==25793==
==25793== Process terminating with default action of signal 11
(SIGSEGV): dumping core
==25793== Access not within mapped region at address 0x0
==25793== at 0x997C36: _zval_ptr_dtor (zend_execute_API.c:422)
==25793== by 0x9A950A: _zval_ptr_dtor_wrapper
(zend_variables.c:175)
==25793== by 0x9BE947: zend_hash_destroy (zend_hash.c:526)
==25793== by 0x9D8DC3: zend_object_std_dtor (zend_objects.c:45)
==25793== by 0x5C348B: mysqli_objects_free_storage (mysqli.c:212)
==25793== by 0x5C38DD: mysqli_result_free_storage (mysqli.c:288)
==25793== by 0x9DF006: zend_objects_store_del_ref_by_handle_ex
(zend_objects_API.c:215)
==25793== by 0x9DEB5C: zend_objects_store_del_ref
(zend_objects_API.c:171)
==25793== by 0x9A910B: _zval_dtor_func (zend_variables.c:52)
==25793== by 0x99788B: _zval_dtor (zend_variables.h:35)
==25793== by 0x997CE6: _zval_ptr_dtor (zend_execute_API.c:428)
==25793== by 0x9E26A0: zend_leave_helper_SPEC
(zend_vm_execute.h:157)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=45941&edit=1
