|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2005-05-28 00:59 UTC] jsnell at networkninja dot com
Description:
------------
Calling pg_fetch_array() with the results of a division followed by calling it with a constant causes a segfault. I have confirmed it in both cgi and mod php 5.0.4 and also in cgi php 5.0.3.
Reproduce code:
---------------
// need a valid database to connect to
// contents don't matter
$query = 'select 1 as one';
$db_user = "your_user";
$db_password = "your_pass";
$db_name = "your_db";
$db_port = 5432;
$connect_string = "user=$db_user " .
"password=$db_password " .
"port=$db_port ".
"dbname=$db_name";
$db_link = pg_connect($connect_string);
$result = pg_exec($db_link, $query);
$i = floor(4/5);
$data = pg_fetch_array($result, $i);
$i = 0;
$data = pg_fetch_array($result, $i);
echo("No segfault");
Expected result:
----------------
No segfault
Actual result:
--------------
gdb backtrace:
#0 0x0820cf3b in _zend_hash_index_update_or_next_insert ()
#1 0x08209c53 in add_index_stringl ()
#2 0x406bee43 in zif_pg_fetch_result () from /usr/lib/php5/20041030/pgsql.so
#3 0x406bf10f in zif_pg_fetch_array () from /usr/lib/php5/20041030/pgsql.so
#4 0x0823c4da in zend_do_fcall_common_helper ()
#5 0x0823cb11 in zend_do_fcall_handler ()
#6 0x08224cb5 in execute ()
#7 0x08207e28 in zend_execute_scripts ()
#8 0x081d8bca in php_execute_script ()
#9 0x0824c3f4 in main ()
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 01 07:00:01 2025 UTC |
I had to modify my source a bit to get any output. For some reason PHP was exiting normally despite stopping half way through the script. Here's the modified source: <?php error_reporting(E_STRICT | E_ALL); $db_user = "db_user"; $db_password = "db_pass"; $db_name = "db_name"; $db_port = 5432; $connect_string = "user=$db_user " . "password=$db_password " . "port=$db_port ". "dbname=$db_name"; $db_link = pg_connect($connect_string); $query = 'select 1 as one'; $result = pg_exec($db_link, $query); $i = (float) floor(4/5); echo("PRE"); flush(); $data = pg_fetch_array($result, $i); // i think it gets corrupted here echo('i:'.$i); flush(); $data = pg_fetch_array($result, ($i)); $data = pg_fetch_array($result, ($i)); echo("z\n"); ?> And the backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1213273280 (LWP 17172)] 0xb7d455e7 in memcpy () from /lib/tls/libc.so.6 (gdb) bt #0 0xb7d455e7 in memcpy () from /lib/tls/libc.so.6 #1 0x08289e15 in concat_function (result=0xbfffc814, op1=0x8493d44, op2=0xbfffc540) at /usr/src/php5-200510021630/Zend/zend_operators.c:1180 #2 0x082c2bc8 in ZEND_CONCAT_SPEC_CONST_CV_HANDLER (execute_data=0xbfffc8a0) at zend_vm_execute.h:3502 #3 0x082bb177 in execute (op_array=0x848ce2c) at zend_vm_execute.h:88 #4 0x0828ea39 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php5-200510021630/Zend/zend.c:1087 #5 0x08245090 in php_execute_script (primary_file=0xbfffed20) at /usr/src/php5-200510021630/main/main.c:1677 #6 0x0830943c in main (argc=4, argv=0xbfffedf4) at /usr/src/php5-200510021630/sapi/cli/php_cli.c:1039 Here's some extra information which I hope will help: (gdb) frame 1 #1 0x08289e15 in concat_function (result=0xbfffc814, op1=0x8493d44, op2=0xbfffc540) at /usr/src/php5-200510021630/Zend/zend_operators.c:1180 1180 memcpy(result->value.str.val+op1->value.str.len, op2->value.str.val, op2->value.str.len); (gdb) print result->value.str $1 = {val = 0x5d54802c "i:", len = 1515870812} (gdb) print op1->value.str.len $2 = 2 (gdb) print op2->value.str.val $3 = 0x0 (gdb) print op2->value.str.len $4 = 1515870810 (gdb) (gdb) frame 2 #2 0x082c2bc8 in ZEND_CONCAT_SPEC_CONST_CV_HANDLER (execute_data=0xbfffcd20) at zend_vm_execute.h:3502 3502 concat_function(&EX_T(opline->result.u.var).tmp_var, (gdb) print *opline $74 = {handler = 0x82c2b78 <ZEND_CONCAT_SPEC_CONST_CV_HANDLER>, result = { op_type = 2, u = {constant = {value = {lval = 580, dval = 2.86558074587923e-321, str = { val = 0x244 <Address 0x244 out of bounds>, len = 0}, ht = 0x244, obj = {handle = 580, handlers = 0x0}}, refcount = 0, type = 0 '\0', is_ref = 0 '\0'}, var = 580, opline_num = 580, op_array = 0x244, jmp_addr = 0x244, EA = {var = 580, type = 0}}}, op1 = {op_type = 1, u = {constant = {value = {lval = 139013284, dval = 4.3126732698705173e-314, str = {val = 0x8492ca4 "i:", len = 2}, ht = 0x8492ca4, obj = {handle = 139013284, handlers = 0x2}}, refcount = 2, type = 6 '\006', is_ref = 1 '\001'}, var = 139013284, opline_num = 139013284, op_array = 0x8492ca4, jmp_addr = 0x8492ca4, EA = {var = 139013284, type = 2}}}, op2 = {op_type = 16, u = {constant = {value = {lval = 8, dval = 3.3951932659396882e-313, str = { val = 0x8 <Address 0x8 out of bounds>, len = 16}, ht = 0x8, obj = {handle = 8, handlers = 0x10}}, refcount = 1, type = 6 '\006', is_ref = 0 '\0'}, var = 8, opline_num = 8, op_array = 0x8, jmp_addr = 0x8, EA = {var = 8, type = 16}}}, extended_value = 0, lineno = 20, opcode = 8 '\b'}