Bug #45941 [Asn->Csd]: mysqli_stmt_fetch() crashes

andrey Wed, 07 Apr 2010 11:34:52 -0700

Edit report at http://bugs.php.net/bug.php?id=45941&edit=1


 ID:               45941
 Updated by:       and...@php.net
 Reported by:      tony2...@php.net
 Summary:          mysqli_stmt_fetch() crashes
-Status:           Assigned
+Status:           Closed
 Type:             Bug
 Package:          MySQLi related
 Operating System: Linux 64bit
 PHP Version:      5.3CVS-2008-08-28 (CVS)
 Assigned To:      mysql

 New Comment:

Can't reproduce anymore, seems fixed.


Previous Comments:
------------------------------------------------------------------------
[2009-04-20 18:10:52] andrey dot hristov at sun dot com

Tony, I think I have seen this problem and it is because libmysql is
faulty. I think it won't be reproducible with mysqlnd. There are other
places where you can see problems with libmysql but mysqlnd will
perfectly work. These are present in the test cases so we don't forget
them.

------------------------------------------------------------------------
[2008-08-28 09:42:58] tony2...@php.net

Description:
------------
ext/mysqli/tests/mysqli_stmt_bind_result.phpt crashes.

The invalid write and the crash it causes are reproducible both in ZTS
and non-ZTS modes.



#  mysql --version

mysql  Ver 14.12 Distrib 5.0.26, for suse-linux-gnu (x86_64) using
readline 5.1



Using ./configure --with-mysqli seems to be enough (i.e. no mysqlnd
used).

Reproduce code:
---------------
See ext/mysqli/tests/mysqli_stmt_bind_result.phpt

Actual result:
--------------
GDB bt:



Program terminated with signal 11, Segmentation fault.

#0  0x00000000006e2027 in mysqli_stmt_fetch_libmysql (ht=1,
return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1,

    tsrm_ls=0x18940c0) at
/local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:842

842                             if (Z_TYPE_P(stmt->result.vars[i]) ==
IS_STRING) {

(gdb) bt

#0  0x00000000006e2027 in mysqli_stmt_fetch_libmysql (ht=1,
return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1,

    tsrm_ls=0x18940c0) at
/local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:842

#1  0x00000000006e2aaa in zif_mysqli_stmt_fetch (ht=1,
return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1, tsrm_ls=0x18940c0)

    at /local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:984

#2  0x0000000000d3e3ca in zend_do_fcall_common_helper_SPEC
(execute_data=0x2b7bf7ab3970, tsrm_ls=0x18940c0)

    at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:315

#3  0x0000000000d48039 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x2b7bf7ab3970, tsrm_ls=0x18940c0)

    at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:1574

#4  0x0000000000d3c7ef in execute (op_array=0x1bf0240,
tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:104

#5  0x0000000000ce945f in zend_execute_scripts (type=8,
tsrm_ls=0x18940c0, retval=0x0, file_count=3) at
/local/qa/5_3.gcov/Zend/zend.c:1197

#6  0x0000000000bff458 in php_execute_script
(primary_file=0x7fffb30af670, tsrm_ls=0x18940c0) at
/local/qa/5_3.gcov/main/main.c:2074

#7  0x0000000000e04d76 in main (argc=61, argv=0x7fffb30af8c8) at
/local/qa/5_3.gcov/sapi/cli/php_cli.c:1130





Valgrind log:

==25793== Invalid write of size 1

==25793==    at 0x5CC414: mysqli_stmt_fetch_libmysql (mysqli_api.c:826)

==25793==    by 0x5CCC93: zif_mysqli_stmt_fetch (mysqli_api.c:984)

==25793==    by 0x9E374D: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:315)

==25793==    by 0x9EA1EE: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1574)

==25793==    by 0x9E21FF: execute (zend_vm_execute.h:104)

==25793==    by 0x9AD109: zend_execute_scripts (zend.c:1197)

==25793==    by 0x90F5E1: php_execute_script (main.c:2074)

==25793==    by 0xA618F0: main (php_cli.c:1130)

==25793==  Address 0x8b83368 is 0 bytes after a block of size 256
alloc'd

==25793==    at 0x4C22DAB: malloc (vg_replace_malloc.c:207)

==25793==    by 0x97D83A: _emalloc (zend_alloc.c:2285)

==25793==    by 0x5C9EBB: mysqli_stmt_bind_result_do_bind
(mysqli_api.c:407)

==25793==    by 0x5CA55C: zif_mysqli_stmt_bind_result
(mysqli_api.c:499)

==25793==    by 0x9E374D: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:315)

==25793==    by 0x9EA1EE: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1574)

==25793==    by 0x9E21FF: execute (zend_vm_execute.h:104)

==25793==    by 0x9AD109: zend_execute_scripts (zend.c:1197)

==25793==    by 0x90F5E1: php_execute_script (main.c:2074)

==25793==    by 0xA618F0: main (php_cli.c:1130)

==25793==

==25793== Invalid read of size 8

==25793==    at 0x997C36: _zval_ptr_dtor (zend_execute_API.c:422)

==25793==    by 0x9A950A: _zval_ptr_dtor_wrapper (zend_variables.c:175)

==25793==    by 0x9BE947: zend_hash_destroy (zend_hash.c:526)

==25793==    by 0x9D8DC3: zend_object_std_dtor (zend_objects.c:45)

==25793==    by 0x5C348B: mysqli_objects_free_storage (mysqli.c:212)

==25793==    by 0x5C38DD: mysqli_result_free_storage (mysqli.c:288)

==25793==    by 0x9DF006: zend_objects_store_del_ref_by_handle_ex
(zend_objects_API.c:215)

==25793==    by 0x9DEB5C: zend_objects_store_del_ref
(zend_objects_API.c:171)

==25793==    by 0x9A910B: _zval_dtor_func (zend_variables.c:52)

==25793==    by 0x99788B: _zval_dtor (zend_variables.h:35)

==25793==    by 0x997CE6: _zval_ptr_dtor (zend_execute_API.c:428)

==25793==    by 0x9E26A0: zend_leave_helper_SPEC
(zend_vm_execute.h:157)

==25793==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

==25793==

==25793== Process terminating with default action of signal 11
(SIGSEGV): dumping core

==25793==  Access not within mapped region at address 0x0

==25793==    at 0x997C36: _zval_ptr_dtor (zend_execute_API.c:422)

==25793==    by 0x9A950A: _zval_ptr_dtor_wrapper (zend_variables.c:175)

==25793==    by 0x9BE947: zend_hash_destroy (zend_hash.c:526)

==25793==    by 0x9D8DC3: zend_object_std_dtor (zend_objects.c:45)

==25793==    by 0x5C348B: mysqli_objects_free_storage (mysqli.c:212)

==25793==    by 0x5C38DD: mysqli_result_free_storage (mysqli.c:288)

==25793==    by 0x9DF006: zend_objects_store_del_ref_by_handle_ex
(zend_objects_API.c:215)

==25793==    by 0x9DEB5C: zend_objects_store_del_ref
(zend_objects_API.c:171)

==25793==    by 0x9A910B: _zval_dtor_func (zend_variables.c:52)

==25793==    by 0x99788B: _zval_dtor (zend_variables.h:35)

==25793==    by 0x997CE6: _zval_ptr_dtor (zend_execute_API.c:428)

==25793==    by 0x9E26A0: zend_leave_helper_SPEC
(zend_vm_execute.h:157)




------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=45941&edit=1

Bug #45941 [Asn->Csd]: mysqli_stmt_fetch() crashes

Reply via email to