|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2002-10-28 14:16 UTC] sterling@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Mar 29 04:01:32 2025 UTC |
I've found a bug in the mssql extension: If magic_quotes_runtime is set every mssql_fetch_* produces a crash of php due to double freed memory. The problem itself is produced in the following code: if (PG(magic_quotes_runtime)) { data = php_addslashes(Z_STRVAL(result->data[result->cur_row][i]), Z_STRLEN(result->data[result->cur_row][i]), &Z_STRLEN(result->data[result->cur_row][i]), 1 TSRMLS_CC); there the string stored in the zval gets freed without destroying the zval itself, so later if the destructor of the the zval gets called (in _free_result) the data is already freed and php crashes with a memory exception. to (quick)fix this just change the function call to data = php_addslashes(Z_STRVAL(result->data[result->cur_row][i]), Z_STRLEN(result->data[result->cur_row][i]), &data_len, 0 TSRMLS_CC); the data_len is there since the length of the passed string doesn't change and if it gets changed by php_addslashes we will get warnings of not 0 terminated strings sometimes. and the last parameter was changed to 0 so php_addslashes doesn't free the memory. regards Dominik del Bondio