PHP :: Bug #35604 :: pgsql crash when repeatedly using the same named parameter in a query

Bug #35604

pgsql crash when repeatedly using the same named parameter in a query

Submitted:

2005-12-08 19:08 UTC

Modified:

2006-10-04 01:00 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

smlerman at gmail dot com

Assigned:

wez (profile)

Status:

No Feedback

Package:

PDO related

PHP Version:

5CVS-2005-12-09 (snap)

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	smlerman at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2005-12-08 19:08 UTC] smlerman at gmail dot com

Description:
------------
PHP crashes on the following code. Changing the second named marker from :foo1 to :foo2 fixes the crash, which made me think it had to do with duplicate names. However, removing the where clause (leaving both name markers :foo1) also eliminates the crash, though the statement gets an error code of "HY093" (no full message).

Reproduce code:
---------------
<?php
$db = new PDO("pgsql:host=localhost dbname=name user=user password=password");
$stmt = $db->prepare("UPDATE test SET foo1 = :foo1, foo2 = :foo1 WHERE foo1 = :id");
$stmt->bindParam(':foo1', $foo1);
$stmt->bindParam(':foo2', $foo2);
$stmt->bindParam(':id', $id);
$foo1 = "foo";
$foo2 = "foo";
$id = "foo";
var_dump($stmt->errorInfo());
$stmt->execute();
?>

Expected result:
----------------
An error message of some kind if duplicate names aren't allowed, but certainly not a memory dump.

Actual result:
--------------
*** glibc detected *** php: free(): invalid next size (fast): 0x09980018 ***
Followed by a backtrace and memory dump

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-12-08 19:16 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.1-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.1-win32-latest.zip

[2005-12-09 17:53 UTC] smlerman at gmail dot com

Tried the same code on my Linux box at home (Fedora Core 2, first test server I believe is Fedora 4), and it just gives a segmentation fault instead. Tried the php5.1-200512091530 snapshot, and I get the same results.

[2005-12-09 18:03 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2005-12-09 22:56 UTC] smlerman at gmail dot com

Here's the backtrace.

(gdb) bt
#0  0x00556716 in free () from /lib/tls/libc.so.6
#1  0x082184cd in shutdown_memory_manager (silent=0, full_shutdown=0)
    at /root/php/php5.1-200512091530/Zend/zend_alloc.c:512
#2  0x081f903f in php_request_shutdown (dummy=0x0) at /root/php/php5.1-200512091530/main/main.c:1303
#3  0x08280e1f in main (argc=2, argv=0xbfe192e4) at /root/php/php5.1-200512091530/sapi/cli/php_cli.c:1142
(gdb)

[2005-12-12 10:30 UTC] sniper@php.net

What was the configure line you used?

[2005-12-12 12:33 UTC] smlerman at gmail dot com

./configure --prefix=/usr/local/php5 --with-pgsql=/usr/local/pgsql/ --with-mysql=/usr/local/mysql/ --with-pdo --with-pdo-pgsql --with-pdo-mysql --with-gd --with-jpeg-dir=/usr/local/lib --with-zlib-dir=/usr/local/zlib --with-png-dir=/usr/local/libpng --with-apxs2=/usr/local/apache/bin/apxs --enable-debug

[2005-12-12 13:23 UTC] sniper@php.net

What awk you have? And what version? gawk, mawk or awk?

[2005-12-12 14:26 UTC] tony2001@php.net

==19435== Invalid write of size 4
==19435==    at 0x80B5654: pgsql_stmt_param_hook (pgsql_statement.c:278)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==  Address 0x1BD907B8 is 0 bytes after a block of size 8 alloc'd
==19435==    at 0x1B901B95: calloc (vg_replace_malloc.c:279)
==19435==    by 0x80B52AD: pgsql_stmt_param_hook (pgsql_statement.c:222)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==
==19435== Invalid write of size 4
==19435==    at 0x80B5672: pgsql_stmt_param_hook (pgsql_statement.c:279)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==  Address 0x1BD907F0 is 0 bytes after a block of size 8 alloc'd
==19435==    at 0x1B901B95: calloc (vg_replace_malloc.c:279)
==19435==    by 0x80B52CF: pgsql_stmt_param_hook (pgsql_statement.c:225)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==
==19435== Invalid write of size 4
==19435==    at 0x80B5687: pgsql_stmt_param_hook (pgsql_statement.c:280)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==  Address 0x1BD90828 is 0 bytes after a block of size 8 alloc'd
==19435==    at 0x1B901B95: calloc (vg_replace_malloc.c:279)
==19435==    by 0x80B52F1: pgsql_stmt_param_hook (pgsql_statement.c:228)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==
==19435== Invalid write of size 4
==19435==    at 0x80B56E0: pgsql_stmt_param_hook (pgsql_statement.c:287)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==  Address 0x1BD90860 is 0 bytes after a block of size 8 alloc'd
==19435==    at 0x1B901B95: calloc (vg_replace_malloc.c:279)
==19435==    by 0x80B5313: pgsql_stmt_param_hook (pgsql_statement.c:231)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)

[2005-12-12 14:40 UTC] smlerman at gmail dot com

# awk --version
GNU Awk 3.1.3
Copyright (C) 1989, 1991-2003 Free Software Foundation.

[2005-12-22 14:50 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.1-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.1-win32-latest.zip

[2005-12-22 16:51 UTC] smlerman at gmail dot com

Still get a segmentation fault with the 2005-12-22-1330 snapshot.

[2006-05-14 14:41 UTC] merlin at l0cal dot net

problem still exists with PHP 5.1.4...

[2006-09-26 22:48 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

This should be fixed in recent snaps.

[2006-10-04 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 21:01:27 2025 UTC