php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40285 The prepare parser goes into an infinite loop.
Submitted: 2007-01-30 10:52 UTC Modified: 2007-02-01 00:12 UTC
From: derick@php.net Assigned:
Status: Closed Package: PDO related
PHP Version: 5CVS-2007-01-30 (CVS) OS: Linux
Private report: No CVE-ID: None
 [2007-01-30 10:52 UTC] derick@php.net
Description:
------------
When running the reproduce code below the parser "pdo_parse_params" in ext/pdo/pdo_sql_parser.re goes into an infinite loop. This is NOT reproducible with re2c 0.9.12, but it is with 0.10.4 and 0.11.0. 

When I re-generate the parser with 0.11.0 and the -d (debug) flag, and I provide the YYDEBUG macro as follows (for example below the #define YYFILL(n) macro definition:

#define YYDEBUG(s,c) { if (s != -1) { printf("state: %d ", s); printf("[%c]\n", c); } }

the output is:

state: 0 [I]
state: 8 [I]
state: 9 [N]
state: 8 [N]
state: 9 [S]
state: 8 [S]
state: 9 [E]
state: 8 [E]
state: 9 [R]
state: 8 [R]
state: 9 [T]
state: 8 [T]
state: 9 [ ]
state: 8 [ ]
state: 9 [I]
state: 8 [I]
state: 9 [N]
state: 8 [N]
state: 9 [T]
state: 8 [T]
state: 9 [O]
state: 8 [O]
state: 9 [ ]
state: 8 [ ]
state: 9 [q]
state: 8 [q]
state: 9 [u]
state: 8 [u]
state: 9 [e]
state: 8 [e]
state: 9 [r]
state: 8 [r]
state: 9 [y]
state: 8 [y]
state: 9 [_]
state: 8 [_]
state: 9 [t]
state: 8 [t]
state: 9 [e]
state: 8 [e]
state: 9 [s]
state: 8 [s]
state: 9 [t]
state: 8 [t]
state: 9 [ ]
state: 8 [ ]
state: 9 [V]
state: 8 [V]
state: 9 [A]
state: 8 [A]
state: 9 [L]
state: 8 [L]
state: 9 [U]
state: 8 [U]
state: 9 [E]
state: 8 [E]
state: 9 [S]
state: 8 [S]
state: 9 [(]
state: 8 [(]
state: 9 [ ]
state: 8 [ ]
state: 9 [']
state: 10 [']
1
state: 0 [']
state: 4 [']
state: 19 [:]
state: 20 [:]
state: 19 [:]
state: 20 [:]
state: 19 [:]
state: 20 [:]
state: 19 [:]
state: 20 [:]
state: 19 [:]

and from there on it loops.

From what I can see it has to do with some ambiguous rules for single quoted strings and the SPECIALS token.

Reproduce code:
---------------
<?php
$d = new PDO('mysql:dbname=ezc;host=localhost', 'root');
$d->setAttribute( PDO::ATTR_EMULATE_PREPARES, true );
$s = $d->prepare("INSERT INTO query_test VALUES( ':id', 'name', 'section', 22)" );
$s->execute();

(you don't actually need the table "query_test").

Expected result:
----------------
The values ":id", "name", "section" and 22 are added into the table.

Actual result:
--------------
An infinite loop in states 19 and 20 of the re2c parser.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-01-30 10:53 UTC] derick@php.net
Assigning to you Marcus, as you're the re2c guru.
 [2007-02-01 00:12 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 08:01:29 2024 UTC