php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69757 Segmentation fault on nextRowset
Submitted: 2015-06-04 19:48 UTC Modified: 2015-10-18 09:43 UTC
Votes:6
Avg. Score:4.8 ± 0.4
Reproduced:6 of 6 (100.0%)
Same Version:1 (16.7%)
Same OS:4 (66.7%)
From: miracle at rpz dot name Assigned: ab (profile)
Status: Closed Package: PDO DBlib
PHP Version: 5.6.9 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: miracle at rpz dot name
New email:
PHP Version: OS:

 

 [2015-06-04 19:48 UTC] miracle at rpz dot name 
Description:
------------
php configured --with-pdo-dblib=shared,/usr

After fetch first (any) resultset PDOStatement::nextRowset() cause segmentation fault instead of return boolean result.

Segfault reproduced with php 5.4.41, 5.5.25, 5.6.9; freetds: 0.91, 0.95rc3


Test script:
---------------
<?php

if (!extension_loaded('pdo_dblib')) {
    die('skip not loaded');
}
require __DIR__ . '/config.inc';

$sql = "
EXEC sp_executesql N'
    SELECT 1 as first_rowset
    SELECT 2 as second_rowset
'
"; 
//$sql = 'SELECT 1 as first_rowset'; // same result: segfault
$stmt = $db->query($sql);

$resultset1 = $stmt->fetchAll(PDO::FETCH_ASSOC);
//var_dump($resultset1); // first_rowset => 1
$stmt->nextRowset(); //segfault here



Actual result:
--------------
Core was generated by `php pdo_dblib_next_rowset_segfault.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000067c6d8 in zend_mm_check_ptr (heap=0x1493b20, ptr=0x16f2308, silent=1, 
    __zend_filename=0x7f1e5d148c08 "/tmp/php-5.6.9/ext/pdo/pdo_stmt.c", __zend_lineno=2053, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /tmp/php-5.6.9/Zend/zend_alloc.c:1384
1384            if (p->info._size != ZEND_MM_NEXT_BLOCK(p)->info._prev) {
(gdb) bt
#0  0x000000000067c6d8 in zend_mm_check_ptr (heap=0x1493b20, ptr=0x16f2308, silent=1, 
    __zend_filename=0x7f1e5d148c08 "/tmp/php-5.6.9/ext/pdo/pdo_stmt.c", __zend_lineno=2053, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /tmp/php-5.6.9/Zend/zend_alloc.c:1384
#1  0x000000000067e2d2 in _zend_mm_free_int (heap=0x1493b20, p=0x16f2308, 
    __zend_filename=0x7f1e5d148c08 "/tmp/php-5.6.9/ext/pdo/pdo_stmt.c", __zend_lineno=2053, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /tmp/php-5.6.9/Zend/zend_alloc.c:2068
#2  0x000000000067f75c in _efree (ptr=0x16f2308, __zend_filename=0x7f1e5d148c08 "/tmp/php-5.6.9/ext/pdo/pdo_stmt.c", 
    __zend_lineno=2053, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /tmp/php-5.6.9/Zend/zend_alloc.c:2440
#3  0x00007f1e5d1441d7 in pdo_stmt_do_next_rowset (stmt=0x7f1e61a76ad0) at /tmp/php-5.6.9/ext/pdo/pdo_stmt.c:2053
#4  0x00007f1e5d144333 in zim_PDOStatement_nextRowset (ht=0, return_value=0x7f1e61a77960, return_value_ptr=0x7f1e64250200, 
    this_ptr=0x7f1e61a76c90, return_value_used=0) at /tmp/php-5.6.9/ext/pdo/pdo_stmt.c:2082
#5  0x00000000006fd188 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f1e642503b8)
    at /tmp/php-5.6.9/Zend/zend_vm_execute.h:558
#6  0x00000000006fd95c in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7f1e642503b8)
    at /tmp/php-5.6.9/Zend/zend_vm_execute.h:693
#7  0x00000000006fc7f1 in execute_ex (execute_data=0x7f1e642503b8) at /tmp/php-5.6.9/Zend/zend_vm_execute.h:363
#8  0x00000000006fc87a in zend_execute (op_array=0x7f1e6428cf30) at /tmp/php-5.6.9/Zend/zend_vm_execute.h:388
#9  0x00000000006b9058 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/php-5.6.9/Zend/zend.c:1341
#10 0x00000000006242af in php_execute_script (primary_file=0x7ffd72f96120) at /tmp/php-5.6.9/main/main.c:2597
#11 0x000000000076ad09 in do_cli (argc=2, argv=0x1493870) at /tmp/php-5.6.9/sapi/cli/php_cli.c:994
#12 0x000000000076be16 in main (argc=2, argv=0x1493870) at /tmp/php-5.6.9/sapi/cli/php_cli.c:1378

Patches

dblib_stmt_column_name_computed (last revision 2015-06-25 23:00 UTC by miracle at rpz dot name)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-25 22:52 UTC] miracle at rpz dot name 
--- orig/ext/pdo_dblib/dblib_stmt.c        2015-05-14 02:13:33.000000000 +0300
+++ fixes/ext/pdo_dblib/dblib_stmt.c       2015-06-26 01:45:16.392471563 +0300
@@ -204,7 +204,15 @@
 
        struct pdo_column_data *col = &stmt->columns[colno];
 
-       col->name = (char*)dbcolname(H->link, colno+1);
+        char *fname = (char*)dbcolname(H->link, colno+1);
+        char computed_buf[16];
+        if (*fname) {
+            col->name = estrdup(fname);
+        } else {
+            snprintf(computed_buf,16,"computed%d", colno);
+            col->name = estrdup(computed_buf);
+        }
+        
        col->maxlen = dbcollen(H->link, colno+1);
        col->namelen = strlen(col->name);
        col->param_type = PDO_PARAM_STR;


Correct whether such a "patch" ?
 [2015-07-07 18:23 UTC] miracle+php at rpz dot name 
Duplicate for #67130
 [2015-10-18 09:43 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2015-10-18 09:43 UTC] ab@php.net 
PR 1386 was merged into 5.6 and up.

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC