PHP :: Bug #34818 :: new mysqli_stmt() crashes if first parameter is not a valid mysqli

Bug #34818	new mysqli_stmt() crashes if first parameter is not a valid mysqli_link
Submitted:	2005-10-10 21:24 UTC	Modified:	2005-10-10 22:06 UTC
From:	squasar at eternalviper dot net	Assigned:	tony2001 (profile)
Status:	Closed	Package:	MySQLi related
PHP Version:	5.1.0RC1	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	squasar at eternalviper dot net
New email:
PHP Version:		OS:

New Comment:

[2005-10-10 21:24 UTC] squasar at eternalviper dot net

Description:
------------
Calling __construct() on mysqli_stmt with an unset variable 
as the mysqli_link crashes PHP in mysqli_stmt_construct. 
Note that this is actually 5.1.0RC2 (CVS tag 
php_5_1_0RC2_PRE). This may affect other MySQLi functions
(?). A possible fix, minus a more informative error message 
is here, but my instinct says there may be more going on 
behind this than the check in MYSQLI_FETCH_RESOURCE() since 
passing a literal NULL or similar instead of an undefined 
variable gives an error message instead of crashing.

Index: ext/mysqli/php_mysqli.h
============================================================
=======
RCS file: /repository/php-src/ext/mysqli/php_mysqli.h,v
retrieving revision 1.54
diff -u -r1.54 php_mysqli.h
--- ext/mysqli/php_mysqli.h     3 Aug 2005 14:07:31 -0000       
1.54
+++ ext/mysqli/php_mysqli.h     10 Oct 2005 19:17:35 -0000
@@ -202,7 +202,12 @@
 #define MYSQLI_FETCH_RESOURCE(__ptr, __type, __id, __name) 
\
 { \
        MYSQLI_RESOURCE *my_res; \
-       mysqli_object *intern = (mysqli_object *)
zend_object_store_get_object(*(__id) TSRMLS_CC);\
+       mysqli_object *intern = NULL; \
+       if (Z_TYPE_PP(__id) != IS_OBJECT) {\
+               php_error(E_WARNING, "Object parameter 
invalid"); \
+               RETURN_NULL(); \
+       } \
+       intern = (mysqli_object *)
zend_object_store_get_object(*(__id) TSRMLS_CC);\
        if (!(my_res = (MYSQLI_RESOURCE *)intern->ptr)) {\
                php_error(E_WARNING, "Couldn't fetch %s", 
intern->zo.ce->name);\
                RETURN_NULL();\


Reproduce code:
---------------
<?php $s = new mysqli_stmt( $undefined, "SELECT 1 FROM DUAL" ); ?>


Expected result:
----------------
Warning: Object parameter invalid in - on line 1

Actual result:
--------------
Bus error

Thread 0 Crashed:
0   php 	0x000c1bb8 zif_mysqli_stmt_construct + 252 
(mysqli.c:675)
1   php 	0x0020ab88 zend_do_fcall_common_helper_SPEC + 1560 
(zend_vm_execute.h:184)
2   php 	0x0020a4c4 execute + 520 (zend_vm_execute.h:87)
3   php 	0x001e0630 zend_execute_scripts + 444 (zend.c:
1079)
4   php 	0x00195334 php_execute_script + 780 (main.c:1679)
5   php 	0x002921ac main + 3684 (php_cli.c:1040)
6   php 	0x00002b58 _start + 344 (crt.c:272)
7   php 	0x000029fc start + 60

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-10-10 22:06 UTC] tony2001@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 15:01:29 2024 UTC