PHP :: Bug #48240 :: DBA Segmentation fault dba

Bug #48240

DBA Segmentation fault dba_nextkey

Submitted:

2009-05-12 03:29 UTC

Modified:

2010-06-13 19:03 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

VJTD3 at VJTD3 dot com

Assigned:

felipe (profile)

Status:

Closed

Package:

DBM/DBA related

PHP Version:

5.2.9

OS:

linux redhat fedora 10

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	VJTD3 at VJTD3 dot com
New email:
PHP Version:		OS:

New Comment:

[2009-05-12 03:29 UTC] VJTD3 at VJTD3 dot com

Description:
------------
DBA Segmentation fault on function dba_nextkey without dba_firstkey before dba_nextkey.

Reproduce code:
---------------
./configure --enable-dba --with-db4 --disable-libxml --disable-dom --disable-simplexml --disable-libxml --disable-xml --disable-xmlreader --disable-xmlwriter --without-pear

<?php
 $dba = dba_open('database', 'r', 'db4');
 $key = dba_nextkey($dba);
 echo $key.':'.dba_fetch($key, $dba)."\n";
?>

db4-4.7.25-7

Expected result:
----------------
the first key by default or at least a error vs seg fault. (yes, i know dba_firstkey should be before dba_nextkey however segfaults are probably not a good reaction, defaulting to the first record or a error is better...)

Actual result:
--------------
seg fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-05-12 05:25 UTC] jani@php.net

Could you provide a test db (or does this happen with any?) somewhere?
And/or a gdb backtrace of the crash?

[2009-05-12 13:30 UTC] VJTD3 at VJTD3 dot com

<?php
 $dba = dba_open('database', 'c', 'db4');
 dba_insert('php', 'crashed', $dba);
 $key = dba_nextkey($dba);
 echo $key.':'.dba_fetch($key, $dba)."\n";
?>

that alone will seg fault. it's happens on any database driver when dba_nextkey is used before dba_firstkey. that snippet will create a fresh database and crash to test easier.

[2009-05-12 14:31 UTC] VJTD3 at VJTD3 dot com

[New Thread 0xb7ff56c0 (LWP 10754)]

Program received signal SIGSEGV, Segmentation fault.
0x080d0c66 in dba_nextkey_db4 (info=0x84d75f0, newlen=0xbfffb360)
    at php-5.2.9/ext/dba/dba_db4.c:222
222             if (dba->cursor->c_get(dba->cursor, &gkey, &gval, DB_NEXT) == 0)                                                                              {
(gdb) bt
#0  0x080d0c66 in dba_nextkey_db4 (info=0x84d75f0, newlen=0xbfffb360)
    at php-5.2.9/ext/dba/dba_db4.c:222
#1  0x080cf3cc in zif_dba_nextkey (ht=1, return_value=0x84d6e78,
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at php-5.2.9/ext/dba/dba.c:1101
#2  0x08304280 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb548)
    at php-5.2.9/Zend/zend_vm_execute.h:200
#3  0x08309bba in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffb548)
    at php-5.2.9/Zend/zend_vm_execute.h:1729
#4  0x08303dfd in execute (op_array=0x84d7538)
    at php-5.2.9/Zend/zend_vm_execute.h:92
#5  0x082df04e in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at php-5.2.9/Zend/zend.c:1134
#6  0x0828dd81 in php_execute_script (primary_file=0xbfffd8c4)
    at php-5.2.9/main/main.c:2023
#7  0x0835a851 in main (argc=2, argv=0xbfffda04)
    at php-5.2.9/sapi/cli/php_cli.c:1133
(gdb) frame 0
#0  0x080d0c66 in dba_nextkey_db4 (info=0x84d75f0, newlen=0xbfffb360)
    at php-5.2.9/ext/dba/dba_db4.c:222
222             if (dba->cursor->c_get(dba->cursor, &gkey, &gval, DB_NEXT) == 0)                                                                              {
(gdb) frame 1
#1  0x080cf3cc in zif_dba_nextkey (ht=1, return_value=0x84d6e78,
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at php-5.2.9/ext/dba/dba.c:1101
1101            nkey = info->hnd->nextkey(info, &len TSRMLS_CC);
(gdb) frame 2
#2  0x08304280 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb548)
    at php-5.2.9/Zend/zend_vm_execute.h:200
200                             ((zend_internal_function *) EX(function_state).f                                                                             unction)->handler(opline->extended_value, EX_T(opline->result.u.var).var.ptr, EX                                                                             (function_state).function->common.return_reference?&EX_T(opline->result.u.var).v                                                                             ar.ptr:NULL, EX(object), return_value_used TSRMLS_CC);
(gdb) frame 3
#3  0x08309bba in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffb548)
    at php-5.2.9/Zend/zend_vm_execute.h:1729
1729            return zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS                                                                             _PASSTHRU);
(gdb) frame 4
#4  0x08303dfd in execute (op_array=0x84d7538)
    at php-5.2.9/Zend/zend_vm_execute.h:92
92                      if (EX(opline)->handler(&execute_data TSRMLS_CC) > 0) {
(gdb) frame 5
#5  0x082df04e in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at php-5.2.9/Zend/zend.c:1134
1134                            zend_execute(EG(active_op_array) TSRMLS_CC);
(gdb) frame 6
#6  0x0828dd81 in php_execute_script (primary_file=0xbfffd8c4)
    at php-5.2.9/main/main.c:2023
2023                    retval = (zend_execute_scripts(ZEND_REQUIRE TSRMLS_CC, N                                                                             ULL, 3, prepend_file_p, primary_file, append_file_p) == SUCCESS);
(gdb) frame 7
#7  0x0835a851 in main (argc=2, argv=0xbfffda04)
    at php-5.2.9/sapi/cli/php_cli.c:1133
1133                            php_execute_script(&file_handle TSRMLS_CC);
(gdb)


if you need me to go into more i can. it looks like it's just referencing a value not set till dba_firstkey is called. (does not have a previous index to find the next.)

[2009-05-13 02:17 UTC] felipe@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.2, 5.3 and HEAD.

FALSE is returned now.

[2009-05-13 07:16 UTC] VJTD3 at VJTD3 dot com

can this be changed to return the first result if there is one and false if there are none?

db_firstkey is a rewind, db_nextkey is a iterator. starting from the beginning makes sense.

[2009-05-19 05:03 UTC] VJTD3 at VJTD3 dot com

i didn't see a reply, changed it to open in case that's needed for devs.

[2010-06-13 19:03 UTC] felipe@php.net

-Status: Assigned +Status: Closed

[2010-06-13 19:03 UTC] felipe@php.net

The crash has been fixed, to change the behavior (when wasn't crashing) lead to BC.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 15:01:30 2024 UTC