php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62273 Segmentation Fault in Mysqli/Mysqlnd
Submitted: 2012-06-09 03:48 UTC Modified: 2012-06-29 14:00 UTC
From: andres at phalconphp dot com Assigned: mysql (profile)
Status: Closed Package: MySQLi related
PHP Version: 5.3.15-dev/5.3.12/5.4.5-dev OS: Linux/Mac
Private report: No CVE-ID: None
 [2012-06-09 03:48 UTC] andres at phalconphp dot com
Description:
------------
Hi, i'm getting a segmentation fault when executing this code:

<?php

$link = mysqli_connect("127.0.0.1", "root", "", "test");

mysqli_real_escape_string($link, "1");

Result:

Mac (Snow leopard):

[#] php a.php 
Segmentation fault

[#] php -v
PHP 5.3.12 (cli) (built: Jun  4 2012 19:51:42) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies

Ubuntu (11.10):
$ php a.php 
Segmentation fault

$ php -v
PHP 5.3.15-dev (cli) (built: Jun  8 2012 22:17:40) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies



Test script:
---------------
This produces the segmentation fault:

<?php

$link = mysqli_connect("127.0.0.1", "root", "passwd", "test");

echo mysqli_real_escape_string($link, "1");

Also, this code produces a segmentation fault:

<?php

$link = mysqli_connect("127.0.0.1", "root", "passwd", "test");

printf("Current character set: %s\n", mysqli_character_set_name($link));

Investigating more deeply, I resolved the problem by removing this from my.cnf:

character-set-server = utf8
collation-server = utf8_spanish_ci

Using latin1 and latin_swedish_ci, works fine,

This is my ./configure command on Linux:

./configure --enable-cli --with-mysqli=mysqlnd --disable-xmlreader --disable-xmlwriter --with-apxs2=/usr/bin/apxs2 --with-config-file-path=/etc --enable-mysqlnd

This is the mysqli/mysqlnd part of the phpinfo():

mysqli

MysqlI Support => enabled
Client API library version => mysqlnd 5.0.8-dev - 20102224 - $Id: 65fe78e70ce53d27a6cd578597722950e490b0d0 $
Active Persistent Links => 0
Inactive Persistent Links => 0
Active Links => 0

Directive => Local Value => Master Value
mysqli.allow_local_infile => On => On
mysqli.allow_persistent => On => On
mysqli.default_host => no value => no value
mysqli.default_port => 3306 => 3306
mysqli.default_pw => no value => no value
mysqli.default_socket => no value => no value
mysqli.default_user => no value => no value
mysqli.max_links => Unlimited => Unlimited
mysqli.max_persistent => Unlimited => Unlimited
mysqli.reconnect => Off => Off

mysqlnd

mysqlnd => enabled
Version => mysqlnd 5.0.8-dev - 20102224 - $Id: 65fe78e70ce53d27a6cd578597722950e490b0d0 $
Compression => not supported
SSL => supported
Command buffer size => 4096
Read buffer size => 32768
Read timeout => 31536000
Collecting statistics => Yes
Collecting memory statistics => Yes
Tracing => n/a

$ mysql --version
mysql  Ver 14.14 Distrib 5.1.62, for debian-linux-gnu (i686) using readline 6.2

[#] mysql --version
mysql  Ver 14.14 Distrib 5.1.62, for apple-darwin10.8.0 (i386) using readline 6.2


Expected result:
----------------
In the first program, 1 as output, in the second program: Current character set: utf8



Actual result:
--------------
For:

<?php

$link = mysqli_connect("127.0.0.1", "root", "hea101", "demo");

printf("Current character set: %s\n", mysqli_character_set_name($link));

This is the backtrace:

(gdb) run a.php
Starting program: /opt/local/bin/php a.php
Reading symbols for shared libraries .+++++++++ done
Reading symbols for shared libraries . done

...

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000008
0x000000010016ad0b in php_mysqlnd_conn_charset_name_pub ()
(gdb) bt
#0  0x000000010016ad0b in php_mysqlnd_conn_charset_name_pub ()
#1  0x0000000103193015 in zif_mysqli_character_set_name ()
#2  0x0000000100232d3a in zend_do_fcall_common_helper_SPEC ()
#3  0x0000000100207abb in execute ()
#4  0x00000001001df88b in zend_execute_scripts ()
#5  0x0000000100186c32 in php_execute_script ()
#6  0x0000000100271ed5 in main ()
(gdb)

And for: 

<?php

$link = mysqli_connect("127.0.0.1", "root", "hea101", "demo");

mysqli_real_escape_string($link, "1");

This is the backtrace:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x000000000000001c
0x000000010016fab0 in mysqlnd_cset_escape_slashes ()
(gdb) bt
#0  0x000000010016fab0 in mysqlnd_cset_escape_slashes ()
#1  0x0000000103193aa1 in zif_mysqli_real_escape_string ()
#2  0x0000000100232d3a in zend_do_fcall_common_helper_SPEC ()
#3  0x0000000100207abb in execute ()
#4  0x00000001001df88b in zend_execute_scripts ()
#5  0x0000000100186c32 in php_execute_script ()
#6  0x0000000100271ed5 in main ()
(gdb)



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-06-09 05:08 UTC] andres at phalconphp dot com
PHP 5.4 is also affected:

$ php -v
PHP 5.4.5-dev (cli) (built: Jun  8 2012 23:58:38) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

$ php a.php 
Segmentation fault

$ gdb --args sapi/cli/php a.php 
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/andres/php5.4-201206090330/sapi/cli/php...done.
(gdb) run 
Starting program: /home/andres/php5.4-201206090330/sapi/cli/php a.php

Program received signal SIGSEGV, Segmentation fault.
mysqlnd_cset_escape_slashes (cset=0x0, newstr=0xb7fc5884 "|X\374\267|X\374\267\364\001", 
    escapestr=0xb7ebbc90 "1", escapestr_len=1)
    at /home/andres/php5.4-201206090330/ext/mysqlnd/mysqlnd_charset.c:719
719			if (cset->char_maxlen > 1 && (len = cset->mb_valid(escapestr, end))) {

(gdb) bt
#0  mysqlnd_cset_escape_slashes (cset=0x0, newstr=0xb7fc5884 "|X\374\267|X\374\267\364\001", 
    escapestr=0xb7ebbc90 "1", escapestr_len=1)
    at /home/andres/php5.4-201206090330/ext/mysqlnd/mysqlnd_charset.c:719
#1  0x08285111 in php_mysqlnd_conn_data_escape_string_pub (escapestr_len=1, 
    escapestr=0xb7ebbc90 "1", newstr=0xb7fc5884 "|X\374\267|X\374\267\364\001", conn=0xb7fc3e58)
    at /home/andres/php5.4-201206090330/ext/mysqlnd/mysqlnd.c:1470
#2  php_mysqlnd_conn_data_escape_string_pub (conn=0xb7fc3e58, 
    newstr=0xb7fc5884 "|X\374\267|X\374\267\364\001", escapestr=0xb7ebbc90 "1", escapestr_len=1)
    at /home/andres/php5.4-201206090330/ext/mysqlnd/mysqlnd.c:1459
#3  0x0818419c in zif_mysqli_real_escape_string (ht=2, return_value=0xb7fc35a0, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /home/andres/php5.4-201206090330/ext/mysqli/mysqli_api.c:1905
#4  0x083a28d8 in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>)
    at /home/andres/php5.4-201206090330/Zend/zend_vm_execute.h:642
#5  0x083658ed in execute (op_array=<optimized out>)
    at /home/andres/php5.4-201206090330/Zend/zend_vm_execute.h:410
#6  0x083077db in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/andres/php5.4-201206090330/Zend/zend.c:1279
#7  0x082a8192 in php_execute_script (primary_file=0xbfffdf6c)
    at /home/andres/php5.4-201206090330/main/main.c:2473
#8  0x083a4fec in do_cli (argc=2, argv=0xbffff1f4)
    at /home/andres/php5.4-201206090330/sapi/cli/php_cli.c:988
#9  0x08066cc4 in main (argc=2, argv=0xbffff1f4)
    at /home/andres/php5.4-201206090330/sapi/cli/php_cli.c:1361
 [2012-06-09 05:08 UTC] andres at phalconphp dot com
-PHP Version: 5.3Git-2012-06-09 (snap) +PHP Version: 5.3.15-dev/5.3.12/5.4.5-dev
 [2012-06-09 05:56 UTC] andres at phalconphp dot com
I think the problem is the mysqlnd_charsets variable in ext/mysqlnd/mysqlnd_charset.c:

utf8_spanish_ci is returned as code 199 by the mysql/server but in the charset const is:

{ 119, UTF8_MB3, UTF8_MB3"_spanish_ci", 1, 3, "", mysqlnd_mbcharlen_utf8mb3, check_mb_utf8mb3_valid},

Then mysqlnd_find_charset_nr is unable to find the charset name. And as a consequence of that, conn->charset is null producing the segmentation fault.

I'm not sure what is the right solution for this, maybe updating the charset code or assigning a default charset when the charset code does not match any.
 [2012-06-09 08:45 UTC] cataphract@php.net
-Assigned To: +Assigned To: mysql
 [2012-06-11 23:45 UTC] andres at phalconphp dot com
-Status: Assigned +Status: Open
 [2012-06-11 23:45 UTC] andres at phalconphp dot com
hi, is someone assigned to this?
 [2012-06-12 08:09 UTC] andrey@php.net
-Status: Open +Status: Verified
 [2012-06-12 08:09 UTC] andrey@php.net
php -r '$link = mysqli_connect("127.0.0.1", "root", "root", "test");var_dump(mysqli_character_set_name($link));'
Segmentation fault (core dumped)
 [2012-06-29 13:59 UTC] andrey@php.net
Automatic comment on behalf of andrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8fe87e7feaab2c031998d553585ba8cabf077499
Log: fix Bug #62273 	Segmentation Fault in Mysqli/Mysqlnd
 [2012-06-29 14:00 UTC] andrey@php.net
The fix will come, together with more csets in the next PHP 5.3 release
 [2012-06-29 14:00 UTC] andrey@php.net
-Status: Verified +Status: Closed
 [2012-06-30 19:43 UTC] felipe@php.net
Automatic comment on behalf of andrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8fe87e7feaab2c031998d553585ba8cabf077499
Log: fix Bug #62273 	Segmentation Fault in Mysqli/Mysqlnd
 [2014-10-07 23:24 UTC] stas@php.net
Automatic comment on behalf of andrey
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=8fe87e7feaab2c031998d553585ba8cabf077499
Log: fix Bug #62273 	Segmentation Fault in Mysqli/Mysqlnd
 [2014-10-07 23:35 UTC] stas@php.net
Automatic comment on behalf of andrey
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=8fe87e7feaab2c031998d553585ba8cabf077499
Log: fix Bug #62273 	Segmentation Fault in Mysqli/Mysqlnd
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 11:01:27 2024 UTC