PHP :: Bug #63530 :: mysqlnd_stmt::bind_one_parameter uses wrong alloc for stmt->param

Bug #63530	mysqlnd_stmt::bind_one_parameter uses wrong alloc for stmt->param_bind
Submitted:	2012-11-15 18:34 UTC	Modified:	2013-03-14 14:05 UTC
From:	geoff at lollywollydoodle dot com	Assigned:	mysql (profile)
Status:	Closed	Package:	MySQL related
PHP Version:	5.3.18	OS:	OS X 10.8.2
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	geoff at lollywollydoodle dot com
New email:
PHP Version:		OS:

New Comment:

[2012-11-15 18:34 UTC] geoff at lollywollydoodle dot com

Description:
------------
This issue is specific to PDO, mysqlnd, PDO::ATTR_EMULATE_PREPARES => false, and 
PDO::ATTR_PERSISTENT => true.

When you run a prepared statement with parameters this way, PHP crashes.

My fix is essentially the same as the one for bug 61411 but just in a different 
function.  I browsed around git for at some other HEADs including master and it 
looks like this issue is still there in all of them.

Test script:
---------------
$dbh = new PDO('mysql:host=' . DBHOST . ';dbname=' . DBDATA, DBUSER, DBPASS,
		array(PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_PERSISTENT => true));
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$s = $dbh->prepare('select * from t where id = :id limit 1');
$s->execute(array(':id' => 1));

$r = $s->fetch(PDO::FETCH_ASSOC);

Expected result:
----------------
Script to not crash, result set to be available

Actual result:
--------------
PHP crashes (php-cgi or httpd process).


#0  0x00007fff89a4a558 in malloc_error_break ()
#1  0x00007fff89a4b912 in free ()
#2  0x000000010a874c00 in _mysqlnd_pefree (ptr=0x103, persistent=1 '\001') at 
mysqlnd_debug.c:1062
#3  0x000000010a876107 in php_mysqlnd_stmt_free_stmt_content_pub 
(s=0x7fdb94bf44d0) at mysqlnd_ps.c:2114
#4  0x000000010a877023 in php_mysqlnd_stmt_net_close_priv (s=0x7fdb94bf44d0, 
implicit=33 '!') at mysqlnd_ps.c:2209
#5  0x000000010a875f6e in php_mysqlnd_stmt_dtor_pub (s=0x103, implicit=0 '\0') 
at mysqlnd_ps.c:2236
#6  0x000000010a756233 in pdo_mysql_stmt_dtor (stmt=0x10ae7f438) at 
mysql_statement.c:64
#7  0x000000010a7503a5 in free_statement (stmt=0x103) at pdo_stmt.c:2406
#8  0x000000010a8f0041 in zend_objects_store_del_ref_by_handle_ex (handle=259, 
handlers=0x10af16000) at zend_objects_API.c:220
#9  0x000000010a8f00fa in zend_objects_store_del_ref (zobject=0x10b122100) at 
zend_objects_API.c:173
#10 0x000000010a8c46da in _zval_dtor [inlined] () at /Users/geoff/php-
5.3.17/Zend/zend_variables.h:35
#11 0x000000010a8c46da in _zval_ptr_dtor (zval_ptr=0x103) at 
zend_variables.h:447
#12 0x000000010a9354dd in zend_leave_helper_SPEC (execute_data=0x103) at 
zend_vm_execute.h:160
#13 0x000000010a934b31 in execute (op_array=0x103) at zend_vm_execute.h:107
#14 0x000000010a8c5af5 in zend_call_function (fci=0x7fff55971af8) at 
zend_execute_API.c:969
#15 0x000000010a8072f6 in zif_call_user_func_array (ht=259, 
return_value=0x10b1214d0, return_value_ptr=0x1000, this_ptr=0x7fff8a0f45de, 
return_value_used=0) at basic_functions.c:4814
#16 0x000000010a934439 in zend_do_fcall_common_helper_SPEC (execute_data=0x103) 
at zend_vm_execute.h:320
#17 0x000000010a934b31 in execute (op_array=0x10b041508) at 
zend_vm_execute.h:107
#18 0x000000010a8c5af5 in zend_call_function (fci=0x7fff55971d98) at 
zend_execute_API.c:969
#19 0x000000010a8072f6 in zif_call_user_func_array (ht=184816904, 
return_value=0x10b12a6e8, return_value_ptr=0x1000, this_ptr=0x7fff8a0f45de, 
return_value_used=0) at basic_functions.c:4814
#20 0x000000010a934439 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x10b041508) at zend_vm_execute.h:320
#21 0x000000010a934b31 in execute (op_array=0x10b040fa0) at 
zend_vm_execute.h:107
#22 0x000000010a8cf878 in zend_execute_scripts (type=8, retval=0x7fff55972010, 
file_count=1435967504) at zend.c:1236
#23 0x000000010a87db02 in php_execute_script (primary_file=0x7fff559726b8) at 
main.c:2308
#24 0x000000010a949c90 in php_handler (r=0x10b040fa0) at sapi_apache2.c:669
#25 0x000000010a28ee8d in ap_run_handler ()
#26 0x000000010a28f592 in ap_invoke_handler ()
#27 0x000000010a2c4e44 in ap_internal_redirect ()
#28 0x000000010a5e2d65 in handler_redirect ()
#29 0x000000010a28ee8d in ap_run_handler ()
#30 0x000000010a28f592 in ap_invoke_handler ()
#31 0x000000010a2c4efb in ap_process_request ()
#32 0x000000010a2c1043 in ap_process_http_connection ()
#33 0x000000010a2a40ad in ap_run_process_connection ()
#34 0x000000010a2a465b in ap_process_connection ()
#35 0x000000010a2ceeec in child_main ()
#36 0x000000010a2cd99e in make_child ()
#37 0x000000010a2cda50 in startup_children ()
#38 0x000000010a2ccb1f in ap_mpm_run ()
#39 0x000000010a297b12 in main ()

Patches

bind_one_parameter_alloc.patch (last revision 2012-11-15 18:34 UTC by geoff at lollywollydoodle dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-03-12 15:44 UTC] uw@php.net

Andrey, can you apply the patch? Looks fine to me.

[2013-03-12 15:44 UTC] uw@php.net

-Assigned To: +Assigned To: mysql

[2013-03-14 14:05 UTC] andrey@php.net

Fixed pushed in 5.3-dev. Will be part of the next releases of 5.3, 5.4 and 5.5.

[2013-03-14 14:05 UTC] andrey@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC