php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #58632 db2_execute() segfault on an empty string as a bind parameter
Submitted: 2009-04-15 05:51 UTC Modified: 2009-12-24 03:19 UTC
From: t-yonetani at ergobrains dot co dot jp Assigned:
Status: Closed Package: ibm_db2 (PECL)
PHP Version: 4.4.9 OS: CentOS 4.6
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: t-yonetani at ergobrains dot co dot jp
New email:
PHP Version: OS:

 

 [2009-04-15 05:51 UTC] t-yonetani at ergobrains dot co dot jp 
Description:
------------
In !defined(PASE) case, _php_db2_bind_data() won't allocate memory area dynamically for a 0-length string, but db2_execute() attempts to efree() it unconditionally in the cleanup code, so it ends up in a SIGSEGV somewhere in efree().

Reproduce code:
---------------
$db = db2_connect($database, $username, $password);
$st = db2_prepare("VALUES CAST(? AS CHAR(10))");
db2_execute($st, array(""));

Expected result:
----------------
successfully terminate

Actual result:
--------------
PHP catches SIGSEGV

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-04-15 05:57 UTC] t-yonetani at ergobrains dot co dot jp 
Sorry, the second line in `Reproduce code' should've been

$st = db2_prepare($db, "VALUES CAST(? AS CHAR(10))");

to successfully terminate.
 [2009-04-20 07:30 UTC] abhargav at in dot ibm dot com 
Hi,

Can you tell me what is the version of IBM_DB2 you are using?

Regards,
Ambrish Bhargava
 [2009-04-20 21:43 UTC] t-yonetani at ergobrains dot co dot jp 
Hi,
db2level command says:
DB21085I  Instance "db2inst1" uses "32" bits and DB2 code release "SQL08029"
with level identifier "030A0106".
Informational tokens are "DB2 v8.1.2.152", "s080813", "MI00248", and FixPak
"17".
Product is installed at "/opt/IBM/db2/V8.1".
 [2009-04-20 21:48 UTC] t-yonetani at ergobrains dot co dot jp 
It seems like I misunderstood your question; I'm using ibm_db2-1.8.2.  Please let me know if there's any newer version to try.

Regards,
YONETANI Tomokazu
 [2009-04-21 04:58 UTC] abhargav at in dot ibm dot com 
Hi,

Please apply following patch and see if it helps:

3967c3967,3969
< 				efree((prev_ptr->value)->value.str.val);
---
> 				if((prev_ptr->value)->value.str.val != NULL && (prev_ptr->value)->value.str.len != 0) {
> 					efree((prev_ptr->value)->value.str.val);
> 				}
3970,3971c3972,3975
< 			if( prev_ptr->param_type != DB2_PARAM_OUT && prev_ptr->param_type != DB2_PARAM_INOUT ){
< 				efree(prev_ptr->value);
---
> 			if( prev_ptr->param_type != DB2_PARAM_OUT && prev_ptr->param_type != DB2_PARAM_INOUT ) {
> 				if(prev_ptr->value != NULL) {
> 					efree(prev_ptr->value);
> 				}


Regards,
Ambrish Bhargava
 [2009-04-21 20:09 UTC] t-yonetani at ergobrains dot co dot jp 
Apparently the patch fixes the issue.  By the way, I think that the NULL check you added for (prev_ptr->value), should it ever be NULL, need to be performed before looking at (prev_ptr->value)->value.str.val, or else you would end up NULL-pointer dereference.

Thanks.
 [2009-08-18 01:23 UTC] yonetani at spireinc dot jp 
Hi, can someone tell me the status on this issue?  Any plan on a new release?  I'm looking forward to hearing from you.

Thanks in advance.
 [2009-08-18 02:05 UTC] abhargav at in dot ibm dot com 
Hi,

Currently I am working on some other issue and hence release got delayed. I will try to make a release ASAP.

Regards,
Ambrish Bhargava
 [2009-12-24 03:19 UTC] abhargav at in dot ibm dot com 
Thank you for your bug report. This issue has been fixed
in the latest released version of the package, which you can download at
http://pecl.php.net/get/ibm_db2
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Oct 26 01:00:01 2025 UTC