PHP :: Bug #51624 :: Crash when calling mysqli

Bug #51624

Crash when calling mysqli_options()

Submitted:

2010-04-21 14:10 UTC

Modified:

2010-04-26 01:25 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

zulcss at ubuntu dot com

Assigned:

felipe (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.3.2

OS:

Ubuntu/Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	zulcss at ubuntu dot com
New email:
PHP Version:		OS:

New Comment:

[2010-04-21 14:10 UTC] zulcss at ubuntu dot com

Description:
------------
Hi,

This bug was recently reported on launchpad at http://bugs.launchpad.net/bugs/567043. I have included the gdb backtrace with this bug report.

Regards
chuck

Expected result:
----------------
Not to crash.

Actual result:
--------------
#0  0x00007fe478493d02 in memcpy () from /lib/libc.so.6
No symbol table info available.
#1  0x0000000000677ff8 in _estrndup (s=0x4d00000050 <Address 0x4d00000050 out of bounds>, length=90) at /usr/include/bits/string3.h:52
No locals.
#2  0x000000000069459b in _zval_copy_ctor_func (zvalue=0x1f84ca8) at /build/buildd/php5-5.3.2/Zend/zend_variables.c:126
        tmp = 0x1ecb470
        original_ht = 0x1ecb470
#3  0x00007fe4752b0f68 in zif_mysqli_options (ht=33049848, return_value=0x1f84c58, return_value_ptr=0x5a, this_ptr=0x4d00000050, return_value_used=17) at /build/buildd/php5-5.3.2/Zend/zend_variables.h:45
        mysql_link = 0x1f84ca8
        mysql_value = 0x5
        mysql_option = 33049648
        l_value = 0
        expected_type = 33049848
#4  0x00000000006e598a in zend_do_fcall_common_helper_SPEC (execute_data=0x142a390) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:313
        opline = 0x15c7698
        should_change_scope = 0 '\000'
#5  0x00000000006bcc70 in execute (op_array=0x11d7080) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:104
        ret = 33049848
        execute_data = 0x142a390
        nested = 0 '\000'
        original_in_execution = 1 '\001'
#6  0x000000000068ab94 in zend_call_function (fci=0x7fff6ab02fd0, fci_cache=0x141f840) at /build/buildd/php5-5.3.2/Zend/zend_execute_API.c:947
        i = 17
        original_return_value = 0x141f6f0
        calling_symbol_table = 0x1938398
        original_op_array = 0x19cf630
        original_opline_ptr = <incomplete type>
        current_scope = 0x1db96c0
        current_called_scope = 0x1938398
        calling_scope = 0x0
        called_scope = 0x141f6f0
        current_this = 0x0
        execute_data = {opline = 0x0, function_state = {function = 0x0, arguments = 0x1949408}, fbc = 0x141fe68, called_scope = 0x0, op_array = 0x0, object = 0x0, Ts = 0x1956490, CVs = 0x141f938, symbol_table = 0x141f8d8, 
          prev_execute_data = 0x0, old_error_reporting = 0x141f840, nested = 0 '\000', original_return_value = 0x1, current_scope = 0x141e228, current_called_scope = 0x1938398, current_this = 0x1938398, current_object = 0x1db92d0, 
          call_opline = 0x0}
#7  0x00000000005cd107 in zif_call_user_func_array (ht=33049848, return_value=0x1db8eb8, return_value_ptr=0x5a, this_ptr=0x1, return_value_used=17) at /build/buildd/php5-5.3.2/ext/standard/basic_functions.c:4782
        params = 0x0
        retval_ptr = 0x141f840
        fci = {size = 6082823, function_table = 0x48, function_name = 0x1927c28, symbol_table = 0x1a58120, retval_ptr_ptr = 0x0, param_count = 1789931600, params = 0x3, object_ptr = 0x1da2868, no_separation = 144 '\220'}
        fci_cache = {initialized = 176 '\260', function_handler = 0x1, calling_scope = 0x1949408, called_scope = 0x1927bf8, object_ptr = 0x1927bf8}
#8  0x00000000006e598a in zend_do_fcall_common_helper_SPEC (execute_data=0x141f840) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:313
        opline = 0x19d4418
        should_change_scope = 0 '\000'
#9  0x00000000006bcc70 in execute (op_array=0x19cf630) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:104
        ret = 33049848
        execute_data = 0x141f840
        nested = 0 '\000'
        original_in_execution = 0 '\000'
#10 0x000000000069499d in zend_execute_scripts (type=0, retval=0x7fff6ab03210, file_count=3) at /build/buildd/php5-5.3.2/Zend/zend.c:1266
        files = 0x7fff6ab031e8
        i = 1
        file_handle = 0x7fff6ab05810
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0xd8fd30
#11 0x0000000000640608 in php_execute_script (primary_file=0x1888) at /build/buildd/php5-5.3.2/main/main.c:2288
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, 0, 0, 0, 2, 0, 6040, 0}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 1, 0, 27843312, 0, 12, 0, 11235408, 0, 1789928576, 32767, 24063528, 0, 0, 0}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {type = 1789930876, filename = 0x7fff6ab027b0 "\367\002\033\003\060", opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 1789928092, mmap = {len = 1789928096, pos = 1789928624, 
                map = 0x7fff6ab02270, buf = 0x7fff6ab02294 "\004", old_handle = 0x0, old_closer = 0x7fff6ab02298}, reader = 0x7fff6ab022b1, fsizer = 0xffffffffffffffff, closer = 0}}, free_filename = 0 '\000'}
        append_file = {type = 32270416, filename = 0x81 <Address 0x81 out of bounds>, opened_path = 0x0, handle = {fd = 11259128, fp = 0xabccf8, stream = {handle = 0xabccf8, isatty = 1789928704, mmap = {len = 77, pos = 0, map = 0x4e, 
                buf = 0x20 <Address 0x20 out of bounds>, old_handle = 0x645b9f, old_closer = 0x7fff6ab02218}, reader = 0x7fff6ab02231, fsizer = 0x7fe47558bc00, closer = 0}}, free_filename = 58 ':'}
        retval = 0
#12 0x0000000000722534 in main (argc=32767, argv=0x0) at /build/buildd/php5-5.3.2/sapi/cgi/cgi_main.c:2110
        __bailout = {{__jmpbuf = {0, 0, 0, 0, 3519450402, 4092175345, 14222272, 0}, __mask_was_saved = -175993566, __saved_mask = {__val = {0 <repeats 16 times>}}}}
        free_query_string = 16777216
        exit_status = 0
        cgi = 0
        c = 33049848
        i = 14218272
        len = 14218272
        file_handle = {type = 2005125391, filename = 0x4 <Address 0x4 out of bounds>, opened_path = 0x13d64e8 "/var/www/www.tetramid.net/html/audrey/main.php", handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 20886816, 
              mmap = {len = 0, pos = 22978, map = 0x0, buf = 0x7fe47ad09000 <Address 0x7fe47ad09000 out of bounds>, old_handle = 0x7fe47ad09000, old_closer = 0x17c5f70}, reader = 0x6aa4c0 <zend_stream_stdio_closer>, 
              fsizer = 0x6aab00 <zend_stream_stdio_reader>, closer = 0x6aa580 <zend_stream_stdio_fsizer>}}, free_filename = 128 '\200'}
        s = 0x13d5248 "/var/www/www.tetramid.net/html/audrey/main.php"
        behavior = 0
        no_headers = 0
        orig_optind = 0
        orig_optarg = 0x0
        script_file = 0x100000000 <Address 0x100000000 out of bounds>
        max_requests = 1
        requests = 0
        fastcgi = 1
        bindpath = 0x100000001 <Address 0x100000001 out of bounds>
        fcgi_fd = 14218272
        request = {listen_socket = 0, fd = 0, id = 0, keep = 3, closed = 1, in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0x0, 
          out_buf = "\360X\260j\377\177\000\000\001\006\000\001\005\n\006\000X-Powered-By: PHP/5.3.2-1ubuntu4\r\nCache-Control: no-cache\r\nPragma: no-cache\r\nContent-type: text/javascript; charset=UTF-8\r\nLast-Modified: Tue, 20 Apr 2010 04:31:55 GMT\r\nExpires: Thu, 20 M"..., reserved = "drey/vid\000\000\000\000\000\000\000", env = 0x0}
        repeats = 0
        benchmark = 0
        start = {tv_sec = 0, tv_usec = 0}
        end = {tv_sec = 0, tv_usec = 0}
        status = 0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-04-21 16:52 UTC] felipe@php.net

-Status: Open +Status: Feedback

[2010-04-21 16:52 UTC] felipe@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

[2010-04-22 21:08 UTC] Fedora at famillecollet dot com

I just try gallery2 with 201004221630 snapshot (5.3.3-dev).

No crash encountered.

Just need to found the fix in subversion.

[2010-04-26 00:51 UTC] magicaltux@php.net

A wild guess based on the comment date: SVN revision 298253

The patch:
http://ookoo.org/svn/snip/php-5.3.2-mysql-badmem-fix.patch

I have applied the patch on my install and asked customers experiencing problems 
to try again. They report that the problem is fixed. I guess this bug report can 
now be closed.

[2010-04-26 01:24 UTC] felipe@php.net

-Summary: Gallery2 causing segfault when trying to update. +Summary: Crash when calling mysqli_options()

[2010-04-26 01:25 UTC] felipe@php.net

Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=298563
Log: - BFN #51624

[2010-04-26 01:25 UTC] felipe@php.net

-Status: Feedback +Status: Closed -Assigned To: +Assigned To: felipe

[2010-04-26 01:25 UTC] felipe@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thanks for testing!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Jan 31 10:01:31 2025 UTC