PHP :: Bug #48240 :: DBA Segmentation fault dba

Bug #48240

DBA Segmentation fault dba_nextkey

Submitted:

2009-05-12 03:29 UTC

Modified:

2010-06-13 19:03 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

VJTD3 at VJTD3 dot com

Assigned:

felipe (profile)

Status:

Closed

Package:

DBM/DBA related

PHP Version:

5.2.9

OS:

linux redhat fedora 10

Private report:

CVE-ID:

None

View Developer Edit

[2009-05-12 03:29 UTC] VJTD3 at VJTD3 dot com

Description:
------------
DBA Segmentation fault on function dba_nextkey without dba_firstkey before dba_nextkey.

Reproduce code:
---------------
./configure --enable-dba --with-db4 --disable-libxml --disable-dom --disable-simplexml --disable-libxml --disable-xml --disable-xmlreader --disable-xmlwriter --without-pear

<?php
 $dba = dba_open('database', 'r', 'db4');
 $key = dba_nextkey($dba);
 echo $key.':'.dba_fetch($key, $dba)."\n";
?>

db4-4.7.25-7

Expected result:
----------------
the first key by default or at least a error vs seg fault. (yes, i know dba_firstkey should be before dba_nextkey however segfaults are probably not a good reaction, defaulting to the first record or a error is better...)

Actual result:
--------------
seg fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-05-12 05:25 UTC] jani@php.net

Could you provide a test db (or does this happen with any?) somewhere?
And/or a gdb backtrace of the crash?

[2009-05-12 13:30 UTC] VJTD3 at VJTD3 dot com

<?php
 $dba = dba_open('database', 'c', 'db4');
 dba_insert('php', 'crashed', $dba);
 $key = dba_nextkey($dba);
 echo $key.':'.dba_fetch($key, $dba)."\n";
?>

that alone will seg fault. it's happens on any database driver when dba_nextkey is used before dba_firstkey. that snippet will create a fresh database and crash to test easier.

[2009-05-12 14:31 UTC] VJTD3 at VJTD3 dot com

[New Thread 0xb7ff56c0 (LWP 10754)]

Program received signal SIGSEGV, Segmentation fault.
0x080d0c66 in dba_nextkey_db4 (info=0x84d75f0, newlen=0xbfffb360)
    at php-5.2.9/ext/dba/dba_db4.c:222
222             if (dba->cursor->c_get(dba->cursor, &gkey, &gval, DB_NEXT) == 0)                                                                              {
(gdb) bt
#0  0x080d0c66 in dba_nextkey_db4 (info=0x84d75f0, newlen=0xbfffb360)
    at php-5.2.9/ext/dba/dba_db4.c:222
#1  0x080cf3cc in zif_dba_nextkey (ht=1, return_value=0x84d6e78,
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at php-5.2.9/ext/dba/dba.c:1101
#2  0x08304280 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb548)
    at php-5.2.9/Zend/zend_vm_execute.h:200
#3  0x08309bba in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffb548)
    at php-5.2.9/Zend/zend_vm_execute.h:1729
#4  0x08303dfd in execute (op_array=0x84d7538)
    at php-5.2.9/Zend/zend_vm_execute.h:92
#5  0x082df04e in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at php-5.2.9/Zend/zend.c:1134
#6  0x0828dd81 in php_execute_script (primary_file=0xbfffd8c4)
    at php-5.2.9/main/main.c:2023
#7  0x0835a851 in main (argc=2, argv=0xbfffda04)
    at php-5.2.9/sapi/cli/php_cli.c:1133
(gdb) frame 0
#0  0x080d0c66 in dba_nextkey_db4 (info=0x84d75f0, newlen=0xbfffb360)
    at php-5.2.9/ext/dba/dba_db4.c:222
222             if (dba->cursor->c_get(dba->cursor, &gkey, &gval, DB_NEXT) == 0)                                                                              {
(gdb) frame 1
#1  0x080cf3cc in zif_dba_nextkey (ht=1, return_value=0x84d6e78,
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at php-5.2.9/ext/dba/dba.c:1101
1101            nkey = info->hnd->nextkey(info, &len TSRMLS_CC);
(gdb) frame 2
#2  0x08304280 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb548)
    at php-5.2.9/Zend/zend_vm_execute.h:200
200                             ((zend_internal_function *) EX(function_state).f                                                                             unction)->handler(opline->extended_value, EX_T(opline->result.u.var).var.ptr, EX                                                                             (function_state).function->common.return_reference?&EX_T(opline->result.u.var).v                                                                             ar.ptr:NULL, EX(object), return_value_used TSRMLS_CC);
(gdb) frame 3
#3  0x08309bba in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffb548)
    at php-5.2.9/Zend/zend_vm_execute.h:1729
1729            return zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS                                                                             _PASSTHRU);
(gdb) frame 4
#4  0x08303dfd in execute (op_array=0x84d7538)
    at php-5.2.9/Zend/zend_vm_execute.h:92
92                      if (EX(opline)->handler(&execute_data TSRMLS_CC) > 0) {
(gdb) frame 5
#5  0x082df04e in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at php-5.2.9/Zend/zend.c:1134
1134                            zend_execute(EG(active_op_array) TSRMLS_CC);
(gdb) frame 6
#6  0x0828dd81 in php_execute_script (primary_file=0xbfffd8c4)
    at php-5.2.9/main/main.c:2023
2023                    retval = (zend_execute_scripts(ZEND_REQUIRE TSRMLS_CC, N                                                                             ULL, 3, prepend_file_p, primary_file, append_file_p) == SUCCESS);
(gdb) frame 7
#7  0x0835a851 in main (argc=2, argv=0xbfffda04)
    at php-5.2.9/sapi/cli/php_cli.c:1133
1133                            php_execute_script(&file_handle TSRMLS_CC);
(gdb)


if you need me to go into more i can. it looks like it's just referencing a value not set till dba_firstkey is called. (does not have a previous index to find the next.)

[2009-05-13 02:17 UTC] felipe@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.2, 5.3 and HEAD.

FALSE is returned now.

[2009-05-13 07:16 UTC] VJTD3 at VJTD3 dot com

can this be changed to return the first result if there is one and false if there are none?

db_firstkey is a rewind, db_nextkey is a iterator. starting from the beginning makes sense.

[2009-05-19 05:03 UTC] VJTD3 at VJTD3 dot com

i didn't see a reply, changed it to open in case that's needed for devs.

[2010-06-13 19:03 UTC] felipe@php.net

-Status: Assigned +Status: Closed

[2010-06-13 19:03 UTC] felipe@php.net

The crash has been fixed, to change the behavior (when wasn't crashing) lead to BC.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 08:01:29 2024 UTC