php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #55653 PS crash with libmysql when binding same variable as param and out
Submitted: 2011-09-09 12:00 UTC Modified: 2011-09-10 04:44 UTC
From: uw@php.net Assigned: laruence (profile)
Status: Closed Package: MySQLi related
PHP Version: 5.4SVN-2011-09-09 (SVN) OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: uw@php.net
New email:
PHP Version: OS:

 

 [2011-09-09 12:00 UTC] uw@php.net 
Description:
------------
This will crash, if using mysqli with libmysql.

 sapi/cli/php -r '$link = new mysqli("192.168.2.27", "root", "", "test"); $stmt = $link->stmt_init(); $in = "a"; $stmt->prepare("SELECT ?"); $stmt->bind_param("s", $in); $stmt->execute(); $stmt->bind_result($in); $stmt->fetch(); var_dump($in);'

/home/nixnutz/php-src/branches/PHP_5_4/ext/mysqli/mysqli_api.c(890) : Block 0x071e5870 status:
Invalid pointer: ((size=0x005976c6) != (next.prev=0x00000000))
==12847== Conditional jump or move depends on uninitialised value(s)
==12847==    at 0x81C242: zend_mm_check_ptr (zend_alloc.c:1388)
==12847==    by 0x81C230: zend_mm_check_ptr (zend_alloc.c:1385)
==12847==    by 0x81DDA6: _zend_mm_free_int (zend_alloc.c:2064)
==12847==    by 0x81F350: _efree (zend_alloc.c:2436)
==12847==    by 0x5F412E: mysqli_stmt_fetch_libmysql (mysqli_api.c:890)


Box 1:

mysqli

MysqlI Support => enabled
Client API library version => 5.6.2-m5
Active Persistent Links => 0
Inactive Persistent Links => 0
Active Links => 0
Client API header version => 5.6.2-m5
MYSQLI_SOCKET => /tmp/mysql.sock


Box 2:

mysqli

MysqlI Support => enabled
Client API library version => 5.1.45
Active Persistent Links => 0
Inactive Persistent Links => 0
Active Links => 0
Client API header version => 5.1.45
MYSQLI_SOCKET => /tmp/mysql.sock





Test script:
---------------
 sapi/cli/php -r '$link = new mysqli("192.168.2.27", "root", "", "test"); $stmt = $link->stmt_init(); $in = "a"; $stmt->prepare("SELECT ?"); $stmt->bind_param("s", $in); $stmt->execute(); $stmt->bind_result($in); $stmt->fetch(); var_dump($in);'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-09 12:11 UTC] uw@php.net 
Automatic comment from SVN on behalf of uw
Revision: http://svn.php.net/viewvc/?view=revision&revision=316455
Log: Bug #55653
 [2011-09-09 12:12 UTC] uw@php.net 
Test added
 [2011-09-10 03:51 UTC] laruence@php.net 
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&revision=316474
Log: Fixed Bug #55653(PS crash with libmysql when binding same variable as param and out)
Actually this caused by attempt to efree a INTERNED string
 [2011-09-10 03:52 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2011-09-10 03:52 UTC] laruence@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2011-09-10 04:44 UTC] laruence@php.net 
this also cause a segfault in ext/mysqli/tests/mysqli_stmt_execute_stored_proc.php
 [2012-04-18 09:49 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5e477ae1f899c6382f86f51ee309d7640ec598db
Log: Fixed Bug #55653(PS crash with libmysql when binding same variable as param and out) Actually this caused by attempt to efree a INTERNED string
 [2012-07-24 23:40 UTC] rasmus@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5e477ae1f899c6382f86f51ee309d7640ec598db
Log: Fixed Bug #55653(PS crash with libmysql when binding same variable as param and out) Actually this caused by attempt to efree a INTERNED string
 [2013-11-17 09:36 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5e477ae1f899c6382f86f51ee309d7640ec598db
Log: Fixed Bug #55653(PS crash with libmysql when binding same variable as param and out) Actually this caused by attempt to efree a INTERNED string
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC