PHP :: Bug #54733 :: PDOStatement->execute using libmysql segfaults

Bug #54733

PDOStatement->execute using libmysql segfaults

Submitted:

2011-05-14 04:09 UTC

Modified:

2013-02-18 00:34 UTC

Votes:	4
Avg. Score:	4.8 ± 0.4
Reproduced:	4 of 4 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

dan at mutual dot io

Assigned:

mysql (profile)

Status:

No Feedback

Package:

PDO related

PHP Version:

5.3.6

OS:

Debian 5.0.8 (lenny)

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	dan at mutual dot io
New email:
PHP Version:		OS:

New/Additional Comment:

[2011-05-14 04:09 UTC] dan at mutual dot io

Description:
------------
When using pdo_mysql compiled against libmysql, calling PDOStatement->execute in 
the given context results in a segmentation fault.

Strangely, it's only when both columns `a` and `c` are selected that the 
segfault occurs, not when they are fetched independently.

~$ uname -a
Linux karin 2.6.26-2-686 #1 SMP Thu Jan 27 00:28:05 UTC 2011 i686 GNU/Linux

~$ ldd /usr/local/lib/php/extensions/no-debug-zts-20090626/pdo_mysql.so 
        linux-gate.so.1 =>  (0xb7712000)
        libmysqlclient_r.so.16 => 
/usr/local/mysql/lib/mysql/libmysqlclient_r.so.16 (0xb7696000)
        libz.so.1 => /usr/lib/libz.so.1 (0xb767b000)
        libcrypt.so.1 => /lib/i686/cmov/libcrypt.so.1 (0xb7648000)
        libnsl.so.1 => /lib/i686/cmov/libnsl.so.1 (0xb762f000)
        libm.so.6 => /lib/i686/cmov/libm.so.6 (0xb7609000)
        libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb75f0000)
        libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7495000)
        /lib/ld-linux.so.2 (0xb7713000)

Please let me know if you require my `php --info`.

Test script:
---------------
<?php

$connection = new PDO('mysql:host=localhost;port=3306;dbname=foo', 'foo', '');

$connection->exec("DROP TABLE IF EXISTS `system`");
$connection->exec("
  CREATE TABLE `t` (
    `a` varchar(255),
    `b` varchar(255),
    `c` varchar(255)
  ) ENGINE=InnoDB DEFAULT CHARSET=utf8
");

$statement = $connection->prepare("SELECT a, c FROM t WHERE b = :b");

// segfault
$statement->execute(array(':b' => 'blah'));
?>

Expected result:
----------------
Test script should return 0.

Actual result:
--------------
~$ gdb --args php pdo_mysql_segfault.php 
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) run
Starting program: /usr/local/bin/php pdo_mysql_segfault.php
[Thread debugging using libthread_db enabled]
[New Thread 0xb718d6d0 (LWP 4010)]
[New Thread 0xb6561b90 (LWP 4013)]
[Thread 0xb6561b90 (LWP 4013) exited]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb718d6d0 (LWP 4010)]
0xb72244f3 in strlen () from /lib/i686/cmov/libc.so.6
(gdb) bt
#0  0xb72244f3 in strlen () from /lib/i686/cmov/libc.so.6
#1  0xb6572764 in pdo_mysql_stmt_describe (stmt=0x996c83c, colno=0, 
    tsrm_ls=0x97b4050)
    at /usr/local/src/php-5.3.6/ext/pdo_mysql/mysql_statement.c:700
#2  0xb6583032 in pdo_stmt_describe_columns (stmt=0x996c83c, tsrm_ls=0x97b4050)
    at /usr/local/src/php-5.3.6/ext/pdo/pdo_stmt.c:209
#3  0xb65856fe in zim_PDOStatement_execute (ht=1, return_value=0x996cad0, 
    return_value_ptr=0x0, this_ptr=0x996b804, return_value_used=0, 
    tsrm_ls=0x97b4050) at /usr/local/src/php-5.3.6/ext/pdo/pdo_stmt.c:519
#4  0x08348758 in zend_do_fcall_common_helper_SPEC (execute_data=0x999e798, 
    tsrm_ls=0x97b4050) at /usr/local/src/php-5.3.6/Zend/zend_vm_execute.h:316
#5  0x08344089 in execute (op_array=0x996bcac, tsrm_ls=0x97b4050)
    at /usr/local/src/php-5.3.6/Zend/zend_vm_execute.h:107
#6  0x082f28c6 in zend_execute_scripts (type=8, tsrm_ls=0x97b4050, retval=0x0, 
    file_count=3) at /usr/local/src/php-5.3.6/Zend/zend.c:1194
#7  0x08292890 in php_execute_script (primary_file=0xbfa7a708, 
    tsrm_ls=0x97b4050) at /usr/local/src/php-5.3.6/main/main.c:2268
#8  0x08387c1a in main (argc=2, argv=0xbfa7a864)
    at /usr/local/src/php-5.3.6/sapi/cli/php_cli.c:1193

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-05-14 04:13 UTC] dan at mutual dot io

Sorry, I forgot to mention that the segmentation fault does not occur when PHP is 
configured with `--with-pdo-mysql=mysqlnd`.

And my libmysql is 5.1.55, compiled from source.

Thanks!

[2011-06-10 19:31 UTC] sebastian dot foerster at konexxo dot de

Here the same at Magento Database Query to select Stores with IF and Else 
Statements in Where.

Install Magento and go to front page. At this point segfault the Apache process. 
Anyway you can try to execute Magento index.php in cli. Same result.

[2012-07-29 18:07 UTC] felipe@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: mysql

[2012-07-30 09:50 UTC] johannes@php.net

-Status: Assigned +Status: Feedback

[2012-07-30 09:50 UTC] johannes@php.net

I can't reproduce with neither libmysql 5.1.37 nor a fairly recent 5.6-dev version. Are you using stock MySQL from Oracle or some patched version? Which server version are you using?

Can you provide a network dump for the communication between PHP and MySQL? (note: you have to use host=127.0.0.1, not host=localhost as the later uses unix domain sockets,not TCP/IP)

Can you also run these commands in gdb after it crashed:

[...]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb718d6d0 (LWP 4010)]
0xb72244f3 in strlen () from /lib/i686/cmov/libc.so.6
(gdb) up
(gdb) print i
(pdb) print S->fields[i]

[2013-02-18 00:34 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Nov 02 23:00:02 2025 UTC