php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44200 PDO_PGSQL crash on SELECT "?"
Submitted: 2008-02-21 10:07 UTC Modified: 2008-02-24 16:09 UTC
From: uwendel at mysql dot com Assigned:
Status: Closed Package: PDO related
PHP Version: 5.3CVS-2008-02-21 (CVS) OS: Linux
Private report: No CVE-ID: None
 [2008-02-21 10:07 UTC] uwendel at mysql dot com
Description:
------------
PDO_PGSQL will crash when executing the following:

$pdo = new PDO(...);
$stmt = $pdo->prepare("SELECT \"?\"");
$stmt->execute(array("questionmark"));


Reproduce code:
---------------
ixnutz@ulflinux:~/php53> valgrind sapi/cli/php -r '$pdo = new PDO("pgsql:host=localhost port=5432 dbname=phptest user=postgres password="); $stmt = $pdo->prepare("SELECT \"?\""); $stmt->execute(array("questionmark"));'
==13955== Memcheck, a memory error detector.
==13955== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==13955== Using LibVEX rev 1732, a library for dynamic binary translation.
==13955== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==13955== Using valgrind-3.2.3, a dynamic binary instrumentation framework.
==13955== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==13955== For more details, rerun with: -v
==13955==
==13955== Conditional jump or move depends on uninitialised value(s)
==13955==    at 0x715D43F: slpmloclfv (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==13955==    by 0x715D17E: slpmloc (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==13955==    by 0x715A6A4: lpmloadpkg (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==13955==    by 0x71404EE: lfvLoadPkg (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==13955==    by 0x7140179: lfvSetShlMode (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==13955==    by 0x713FF78: lfvini1 (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==13955==    by 0x713FC94: lfvinit (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==13955==    by 0x6D62C29: kpummpin (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==13955==    by 0x66CC064: kpuenvcr (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==13955==    by 0x676CE5D: OCIEnvCreate (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==13955==    by 0x49D857: zm_startup_pdo_oci (pdo_oci.c:96)
==13955==    by 0x603A76: zend_startup_module_ex (zend_API.c:1607)
==13955==
==13955== Invalid read of size 4
==13955==    at 0x608E90: zend_hash_num_elements (zend_hash.c:1014)
==13955==    by 0x4A2BE2: pgsql_stmt_param_hook (pgsql_statement.c:254)
==13955==    by 0x495C13: dispatch_param_event (pdo_stmt.c:173)
==13955==    by 0x49785A: zim_PDOStatement_execute (pdo_stmt.c:494)
==13955==    by 0x62C1A3: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:190)
==13955==    by 0x61E4CA: execute (zend_vm_execute.h:91)
==13955==    by 0x5F1A32: zend_eval_string (zend_execute_API.c:1278)
==13955==    by 0x5F1BA7: zend_eval_string_ex (zend_execute_API.c:1311)
==13955==    by 0x68A80C: main (php_cli.c:1175)
==13955==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==13955==
==13955== Process terminating with default action of signal 11 (SIGSEGV)
==13955==  Access not within mapped region at address 0x8
==13955==    at 0x608E90: zend_hash_num_elements (zend_hash.c:1014)
==13955==    by 0x4A2BE2: pgsql_stmt_param_hook (pgsql_statement.c:254)
==13955==    by 0x495C13: dispatch_param_event (pdo_stmt.c:173)
==13955==    by 0x49785A: zim_PDOStatement_execute (pdo_stmt.c:494)
==13955==    by 0x62C1A3: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:190)
==13955==    by 0x61E4CA: execute (zend_vm_execute.h:91)
==13955==    by 0x5F1A32: zend_eval_string (zend_execute_API.c:1278)
==13955==    by 0x5F1BA7: zend_eval_string_ex (zend_execute_API.c:1311)
==13955==    by 0x68A80C: main (php_cli.c:1175)
==13955==
==13955== Invalid free() / delete / delete[]
==13955==    at 0x4C2191B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13955==    by 0x7D7EB6A: (within /lib64/libc-2.6.1.so)
==13955==    by 0x7D7E738: __libc_freeres (in /lib64/libc-2.6.1.so)
==13955==    by 0x4A1D354: _vgnU_freeres (in /usr/lib64/valgrind/amd64-linux/vgpreload_core.so)
==13955==    by 0x4A2BE2: pgsql_stmt_param_hook (pgsql_statement.c:254)
==13955==    by 0x495C13: dispatch_param_event (pdo_stmt.c:173)
==13955==    by 0x49785A: zim_PDOStatement_execute (pdo_stmt.c:494)
==13955==    by 0x62C1A3: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:190)
==13955==    by 0x61E4CA: execute (zend_vm_execute.h:91)
==13955==    by 0x5F1A32: zend_eval_string (zend_execute_API.c:1278)
==13955==    by 0x5F1BA7: zend_eval_string_ex (zend_execute_API.c:1311)
==13955==    by 0x68A80C: main (php_cli.c:1175)
==13955==  Address 0x4049978 is not stack'd, malloc'd or (recently) free'd
==13955==
==13955== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 20 from 2)
==13955== malloc/free: in use at exit: 3,103,433 bytes in 10,493 blocks.
==13955== malloc/free: 11,015 allocs, 523 frees, 3,424,549 bytes allocated.
==13955== For counts of detected errors, rerun with: -v
==13955== searching for pointers to 10,493 not-freed blocks.
==13955== checked 4,529,816 bytes.
==13955==
==13955== LEAK SUMMARY:
==13955==    definitely lost: 0 bytes in 0 blocks.
==13955==      possibly lost: 0 bytes in 0 blocks.
==13955==    still reachable: 3,103,433 bytes in 10,493 blocks.
==13955==         suppressed: 0 bytes in 0 blocks.
==13955== Rerun with --leak-check=full to see details of leaked memory.
Speicherzugriffsfehler



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-02-24 16:09 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 09:01:32 2024 UTC