php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71049 SQLite3Stmt::execute() releases bound parameter instead of internal buffer
Submitted: 2015-12-07 12:33 UTC Modified: 2015-12-07 15:59 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: sustmidown at centrum dot cz Assigned: laruence (profile)
Status: Closed Package: SQLite related
PHP Version: 7.0.0 OS: Linux x86-64
Private report: No CVE-ID: None
 [2015-12-07 12:33 UTC] sustmidown at centrum dot cz
Description:
------------
In commit 352117b728cd3edb8b79c7ec4e45ae060224b6ad (https://github.com/php/php-src/commit/352117b728cd3edb8b79c7ec4e45ae060224b6ad) there was a change of condition which checked whether to call:
 zend_string_release(buffer);

from:
 if (stream) {

to:
 if (buffer) {

The problem is that buffer can point either to zend_string allocated in by php_stream_copy_to_mem() or to value of the bound parameter.

If the parameter is not a resource, buffer points to the value of the bound parameter and therefore it is released which later causes memory corruption and SIGSEGV - Segmentation fault.

With the supplied patch my test configuration runs OK. (I am sorry I cannot provide a test script, but its a bunch of unit tests run in PHP unit using SQLite as Doctrine metadata and DQL query cache.)

Expected result:
----------------
SQLite3Stmt::execute() should call zend_string_release() only on buffer containing result from php_stream_copy_to_mem().

Actual result:
--------------
SQLite3Stmt::execute() calls zend_string_release() on buffer containing Z_STR_P(parameter).

Patches

php-sqlite3-exec-bound-param-free-fix (last revision 2015-12-07 12:34 UTC by sustmidown at centrum dot cz)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-12-07 12:35 UTC] sustmidown at centrum dot cz
-Operating System: +Operating System: Linux x86-64
 [2015-12-07 12:35 UTC] sustmidown at centrum dot cz
EDIT: OS: Linux x86-64
 [2015-12-07 15:59 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 07:01:29 2024 UTC