php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #38710 data leakage because of nonexisting boundary checking in statements
Submitted: 2006-09-04 10:34 UTC Modified: 2007-07-11 12:28 UTC
From: domas at mysql dot com Assigned: georg (profile)
Status: Closed Package: MySQLi related
PHP Version: 5.1.6 OS: Any
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: domas at mysql dot com
New email:
PHP Version: OS:

 

 [2006-09-04 10:34 UTC] domas at mysql dot com 
Description:
------------
If function is executed in a prepared statement (like CONCAT, 
UNCOMPRESS, etc), it allocates 8192-sized buffer, but fetch() 
doesn't check actual length of data. If data crosses 8192-byte 
boundary, all sorts of weird stuff starts to happen, including 
possible sensitive data disclosures of non-overwrited buffers 
(at smaller lengths) or process crashes (at bigger ones). 



Reproduce code:
---------------
$db=new mysqli("localhost","root","","test");
$qry=$db->stmt_init();
$qry->prepare("SELECT REPEAT('a',100000)");
$qry->execute();
$qry->bind_result($text);
$qry->fetch();



Expected result:
----------------
silence

Actual result:
--------------
crash!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-04 10:35 UTC] domas at mysql dot com 
#0  0x007c758c in memcpy () from /lib/tls/libc.so.6
#1  0x081b6d91 in _estrndup ()
#2  0x05698383 in zif_mysqli_stmt_fetch (ht=147132188, 
return_value=0x8c420bc, return_value_ptr=0x0, 
this_ptr=0x8c50f1c, return_value_used=0)
    at /usr/src/redhat/BUILD/php-5.1.6/ext/mysqli/
mysqli_api.c:717
#3  0x081e9a81 in zend_do_fcall_common_helper_SPEC ()
#4  0x081e93bb in execute ()
#5  0x081ce2e0 in zend_execute_scripts ()
#6  0x08192006 in php_execute_script ()
#7  0x00000000 in ?? ()
 [2006-09-04 16:45 UTC] georg@php.net 
see also http://bugs.mysql.com/bug.php?id=22001
 [2007-03-08 22:51 UTC] stas@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

I've committed semi-fix (real fix would be to fetch all the data, I guess).
 [2007-04-11 22:41 UTC] tony2001@php.net 
Georg, any news on this?
I can't reproduce it locally, but seems to fail on gcov.php.net, see http://gcov.php.net/viewer.php?version=PHP_5_2&func=tests&file=ext%2Fmysqli%2Ftests%2Fbug38710.phpt
 [2007-07-11 12:28 UTC] andrey@php.net 
Should have been fixed by Stas.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 23 08:01:28 2024 UTC