php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69897 segfault when manually constructing SQLite3Result
Submitted: 2015-06-22 08:40 UTC Modified: 2015-06-22 09:13 UTC
From: sjon at hortensius dot net Assigned: kalle (profile)
Status: Closed Package: SQLite related
PHP Version: 7.0.0alpha1 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sjon at hortensius dot net
New email:
PHP Version: OS:

 

 [2015-06-22 08:40 UTC] sjon at hortensius dot net 
Description:
------------
SQLite3Result has a private constructor, calling it yields a correct error-message:

Fatal error: Uncaught EngineException: Call to private SQLite3Result::__construct() from invalid context in /in/G7TZg:3

But it also results in a segfault.

Test script:
---------------
From http://3v4l.org/G7TZg

<?php

$foo = new SQLite3Result();

Expected result:
----------------
Fatal error only

Actual result:
--------------
==19072== Invalid read of size 4
==19072==    at 0x4FAFC9: php_sqlite3_result_object_free_storage (sqlite3.c:2106)
==19072==    by 0x990233: zend_objects_store_free_object_storage (zend_objects_API.c:102)
==19072==    by 0x92DDDB: shutdown_executor (zend_execute_API.c:341)
==19072==    by 0x9462F3: zend_deactivate (zend.c:964)
==19072==    by 0x8B765C: php_request_shutdown (main.c:1814)
==19072==    by 0xA05233: do_cli (php_cli.c:1135)
==19072==    by 0xA0591B: main (php_cli.c:1334)
==19072==  Address 0x20 is not stack'd, malloc'd or (recently) free'd
==19072== 
==19072== 
==19072== Process terminating with default action of signal 11 (SIGSEGV)
==19072==  Access not within mapped region at address 0x20
==19072==    at 0x4FAFC9: php_sqlite3_result_object_free_storage (sqlite3.c:2106)
==19072==    by 0x990233: zend_objects_store_free_object_storage (zend_objects_API.c:102)
==19072==    by 0x92DDDB: shutdown_executor (zend_execute_API.c:341)
==19072==    by 0x9462F3: zend_deactivate (zend.c:964)
==19072==    by 0x8B765C: php_request_shutdown (main.c:1814)
==19072==    by 0xA05233: do_cli (php_cli.c:1135)
==19072==    by 0xA0591B: main (php_cli.c:1334)
==19072==  If you believe this happened as a result of a stack
==19072==  overflow in your program's main thread (unlikely but
==19072==  possible), you can try to increase the size of the
==19072==  main thread stack using the --main-stacksize= flag.
==19072==  The main thread stack size used in this run was 8388608.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-22 09:09 UTC] kalle@php.net
-Status: Open +Status: Verified -Operating System: archlinux +Operating System: *
 [2015-06-22 09:09 UTC] kalle@php.net 
Confirmed on Windows too
 [2015-06-22 09:12 UTC] kalle@php.net 
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da4c34f0e5957f4370a22bfcc0043efb1f59955
Log: Fixed bug #69897 (segfault when manually constructing SQLite3Result)
 [2015-06-22 09:12 UTC] kalle@php.net
-Status: Verified +Status: Closed
 [2015-06-22 09:13 UTC] kalle@php.net
-Assigned To: +Assigned To: kalle
 [2015-06-23 18:04 UTC] ab@php.net 
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da4c34f0e5957f4370a22bfcc0043efb1f59955
Log: Fixed bug #69897 (segfault when manually constructing SQLite3Result)
 [2016-07-20 11:38 UTC] davey@php.net 
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da4c34f0e5957f4370a22bfcc0043efb1f59955
Log: Fixed bug #69897 (segfault when manually constructing SQLite3Result)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 11:01:29 2024 UTC