PHP :: Bug #81009 :: PDO statement segfault on invalid param

Bug #81009

PDO statement segfault on invalid param

Submitted:

2021-05-03 16:45 UTC

Modified:

2021-05-04 10:18 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	0 (0.0%)

From:

theo dot fidry at gmail dot com

Assigned:

cmb (profile)

Status:

Duplicate

Package:

PDO PgSQL

PHP Version:

7.4.18

OS:

OSX 11.2.3

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	theo dot fidry at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2021-05-03 16:45 UTC] theo dot fidry at gmail dot com

Description:
------------
We have in our code the following statement (done via Doctrine):

```
$stmt->bindValue(6, null, 1);
```

coming from an entity property of the type `?int` and for which the corresponding DB column is a nullable integer (PostgreSQL 12.3).

When upgrading from PHP 7.4.13 to 7.4.18 the above statement results in a segfault  once executing the query.

changing the `null` value into an int value or keeping the value `null` and changing the param type `1` to `0` both results in a successful execution on 7.4.18.

The related Doctrie code is https://github.com/doctrine/dbal/blob/2.13.x/lib/Doctrine/DBAL/Statement.php#L101-L121 as you can see it did not change in a log time and even if a failure is expected with an invalid type, I suspect a segfault is not the desired outcome.

Test script:
---------------
We are using the following except locally:

```
$kernel = new Kernel($_SERVER['APP_ENV'], (bool) $_SERVER['APP_DEBUG']);
$kernel->boot();

/** @var PDOStatement $stmt */
$stmt = $kernel->getContainer()
    ->get('doctrine.dbal.default_connection')
    ->prepare('INSERT INTO foo (col1, col2, col3, col4, col5, col6, col7) VALUES (?, ?, ?, ?, ?, ?, ?)');

$stmt->bindValue(1, 16527, 1);
$stmt->bindValue(2, 'ee3b3a2d-f01a-4455-a509-629bf2780ca6', 2);
$stmt->bindValue(3, '2021-05-03T16:09:31Z', 2);
$stmt->bindValue(4, 'certificationGranted', 2);
$stmt->bindValue(5, 'foo', 2);
$stmt->bindValue(6, null, 1);
$stmt->bindValue(7, '3e2456b7-49c2-46de-ad7d-1b3f4c1b5663', 2);

$stmt = $stmt->execute(null);
```


Expected result:
----------------
Not a segfault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-05-04 01:22 UTC] rwahyudi at gmail dot com

Confirmed that we hit the same bug on RHEL7 and can reproduce the issue. 

When hitting this bug, we get the following error on /var/log/message : 

kernel: php74[6170]: segfault at 18 ip 00007fb376c68fe7 sp 00007ffc46b4d280 error 4 in libc-2.17.so[7fb376c2e000+1c4000]

strace result : 

open("vendor/doctrine/dbal/lib/Doctrine/DBAL/Statement.php", O_RDONLY) = 14
fstat(14, {st_mode=S_IFREG|0644, st_size=23012, ...}) = 0
read(14, "<?php\n\nnamespace Doctrine\\DBAL;\n"..., 23012) = 23012
fcntl(4, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=0, l_len=1}) = 0
fcntl(4, F_SETLK, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=0, l_len=1}) = 0
close(14)                               = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x18} ---
+++ killed by SIGSEGV ++

[2021-05-04 10:18 UTC] cmb@php.net

-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb

[2021-05-04 10:18 UTC] cmb@php.net

This is a duplicate of bug #81002, which will be fixed in
PHP 7.4.19 and 8.0.6.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 06:00:02 2025 UTC