PHP :: Bug #48070 :: PDO_OCI: Segfault when using persistent connection

Bug #48070

PDO_OCI: Segfault when using persistent connection

Submitted:

2009-04-24 14:09 UTC

Modified:

2016-03-08 01:48 UTC

Votes:	3
Avg. Score:	5.0 ± 0.0
Reproduced:	3 of 3 (100.0%)
Same Version:	2 (66.7%)
Same OS:	1 (33.3%)

From:

jarismar dot php at gmail dot com

Assigned:

mbeccati (profile)

Status:

Closed

Package:

PDO OCI

PHP Version:

5.2CVS-2009-04-24 (CVS)

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jarismar dot php at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2009-04-24 14:09 UTC] jarismar dot php at gmail dot com

Description:
------------
When using persistent connections apache segfaults at end of the request.
The segfault only happens if some statment has got error.

Reproduced on Windows (XP) and Linux (debian 2.6.29-1-686).



Reproduce code:
---------------
$sDSN = 'oci:dbname=//webreport:1521/adplabs';
$sUserName = 'rpttest82';
$sPassword = 'rpttest82';

$oPDO = new PDO($sDSN, $sUserName, $sPassword, array(PDO::ATTR_PERSISTENT => true));
$oPDO->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
try {
  $oStatement = $oPDO->prepare('Select x from no_table');
  $oStatement->execute();
} catch (Exception $oException) {
  print $oException->getMessage()."\n";
}

Expected result:
----------------
SQLSTATE[HY000]: General error: 942 OCIStmtExecute: ORA-00942: table or view does not exist
 (/home/jaris/php-latest/ext/pdo_oci/oci_statement.c:147)

Actual result:
--------------
Windows :

Unhandled exception at 0x0088ad16 (php5ts.dll) in Apache.exe: 0xC0000005: Access violation reading location 0x002c5cc4.

Debian :
segmentation fault
ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'unknown')

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-04-24 14:11 UTC] jarismar dot php at gmail dot com

I think, this happens because error messages are being created with pestrdup and later destructed with efree.

I've changed the pdo_oci extension to use pefree when appropriate, it seems to solve the problem.

This is the patch against PHP_5_2 tip.

cvs diff - u >
Index: oci_driver.c
===================================================================
RCS file: /repository/php-src/ext/pdo_oci/oci_driver.c,v
retrieving revision 1.24.2.4.2.11
diff -u -u -p -r1.24.2.4.2.11 oci_driver.c
--- oci_driver.c	31 Dec 2008 11:17:42 -0000	1.24.2.4.2.11
+++ oci_driver.c	24 Apr 2009 10:47:29 -0000
@@ -70,16 +70,15 @@ ub4 _oci_error(OCIError *err, pdo_dbh_t 
 		S = (pdo_oci_stmt*)stmt->driver_data;
 		einfo = &S->einfo;
 		pdo_err = &stmt->error_code;
-		if (einfo->errmsg) {
-			efree(einfo->errmsg);
-		}
 	}
 	else {
 		einfo = &H->einfo;
-		if (einfo->errmsg) {
-			pefree(einfo->errmsg, dbh->is_persistent);
-		}
 	}
+	
+	if (einfo->errmsg) {
+		pefree(einfo->errmsg, dbh->is_persistent);
+	}
+
 
 	einfo->errmsg = NULL;
 	einfo->errcode = 0;
Index: oci_statement.c
===================================================================
RCS file: /repository/php-src/ext/pdo_oci/oci_statement.c,v
retrieving revision 1.16.2.10.2.9
diff -u -u -p -r1.16.2.10.2.9 oci_statement.c
--- oci_statement.c	31 Dec 2008 11:17:42 -0000	1.16.2.10.2.9
+++ oci_statement.c	24 Apr 2009 10:47:30 -0000
@@ -54,6 +54,7 @@ static php_stream *oci_create_lob_stream
 static int oci_stmt_dtor(pdo_stmt_t *stmt TSRMLS_DC) /* {{{ */
 {
 	pdo_oci_stmt *S = (pdo_oci_stmt*)stmt->driver_data;
+	pdo_dbh_t *dbh = stmt->dbh;
 	HashTable *BC = stmt->bound_columns;
 	HashTable *BP = stmt->bound_params;
 
@@ -87,7 +88,7 @@ static int oci_stmt_dtor(pdo_stmt_t *stm
 	}
 
 	if (S->einfo.errmsg) {
-		efree(S->einfo.errmsg);
+		pefree(S->einfo.errmsg, dbh->is_persistent);
 		S->einfo.errmsg = NULL;
 	}

[2009-04-26 11:43 UTC] jarismar dot php at gmail dot com

This seems to fix these two bugs also,

Bug #42075  	pdo_oci crash (with persistent connection) when couldn't connect to db
Bug #44560  	Apache crashes with PDO_OCI and both persistent and non-persistent connections.

[2009-04-27 14:25 UTC] johannes@php.net

Chris, please take a look, thanks.

[2009-04-30 16:57 UTC] mbeccati@php.net

It took some time as I wasn't able to reproduce it using the cli sapi.

Looks like it's a duplicate of an existing bug that was fixed in 5.3+ but not backported to 5.2. 

The fix for #44301 matches the proposed patch for oci_statement.c, but leaves oci_driver.c potentially affected.

I will fix in HEAD and backport to PHP_5_3 and PHP_5_2 soon.

[2009-05-12 22:02 UTC] mbeccati@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2016-03-08 01:48 UTC] sixd@php.net

-Package: PDO related +Package: PDO OCI

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 13:01:29 2024 UTC