PHP :: Bug #72862 :: segfault using prepared statements on stored procedures that use a cursor

Bug #72862

segfault using prepared statements on stored procedures that use a cursor

Submitted:

2016-08-17 04:19 UTC

Modified:

2020-12-18 09:27 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

nuke48386 at yahoo dot com

Assigned:

nikic (profile)

Status:

Closed

Package:

MySQLi related

PHP Version:

5.6.24

OS:

Debian Wheezy i686

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nuke48386 at yahoo dot com
New email:
PHP Version:		OS:

New Comment:

[2016-08-17 04:19 UTC] nuke48386 at yahoo dot com

Description:
------------
A prepared statement that calls a stored procedure that uses a cursor causes the PHP process to segfault.
The issue is in the mysqlnd module.


Test script:
---------------
I have posted an SQL file for creating a test database and stored procedure,
and a PHP script that together can reproduce the bug.
Together they are more than 20 lines, so they can be found in
the issue I opened with the folks at DotDeb:
https://github.com/gplessis/dotdeb-php/issues/145

Actual result:
--------------
backtrace:
Starting program: /usr/bin/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
mysqlnd_fetch_stmt_row_cursor (result=0xb7621088, param=0xb7621a64, flags=2, fetched_anything=0xbfffba3f "\267\364/3\267\210\020b\267")
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_ps.c:1022
1022    /usr/src/builddir/ext/mysqlnd/mysqlnd_ps.c: No such file or directory.
#0  mysqlnd_fetch_stmt_row_cursor (result=0xb7621088, param=0xb7621a64, flags=2, fetched_anything=0xbfffba3f "\267\364/3\267\210\020b\267")
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_ps.c:1022
#1  0xb73148d5 in php_mysqlnd_res_fetch_row_pub (result=0xb7621088, param=0xb7621a64, flags=2, fetched_anything=0xbfffba3f "\267\364/3\267\210\020b\267")
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_result.c:1352
#2  0xb73173a6 in php_mysqlnd_res_fetch_into_pub (result=0xb7621088, flags=2, return_value=0xb7621a64, extension=MYSQLND_MYSQLI)
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_result.c:1823
#3  0xb73171c5 in php_mysqlnd_res_fetch_all_pub (result=0xb7621088, flags=2, return_value=0xb7621a48) at /usr/src/builddir/ext/mysqlnd/mysqlnd_result.c:1893
#4  0xb67c6132 in zif_mysqli_fetch_all (ht=0, return_value=0xb7621a48, return_value_ptr=0xb76041a0, this_ptr=0xb761edb0, return_value_used=1)
    at /usr/src/builddir/ext/mysqli/mysqli_nonapi.c:385
#5  0x0842d376 in execute_internal (execute_data_ptr=execute_data_ptr@entry=0xb76042bc, fci=fci@entry=0x0, return_value_used=return_value_used@entry=1)
    at /usr/src/builddir/Zend/zend_execute.c:1527
#6  0x08371493 in dtrace_execute_internal (execute_data_ptr=0xb76042bc, fci=0x0, return_value_used=1) at /usr/src/builddir/Zend/zend_dtrace.c:97
#7  0x0842f9e7 in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_vm_execute.h:560
#8  0x083f15e7 in execute_ex (execute_data=execute_data@entry=0xb76042bc) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#9  0x08371359 in dtrace_execute_ex (execute_data=0xb76042bc) at /usr/src/builddir/Zend/zend_dtrace.c:73
#10 0x0842f162 in zend_execute (op_array=0xb761e5a4) at /usr/src/builddir/Zend/zend_vm_execute.h:388
#11 zend_execute (op_array=0xb761e5a4) at /usr/src/builddir/Zend/zend_vm_execute.h:383
#12 0x08384906 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/builddir/Zend/zend.c:1341
#13 0x08319dae in php_execute_script (primary_file=primary_file@entry=0xbfffdf78) at /usr/src/builddir/main/main.c:2613
#14 0x08433379 in do_cli (argc=-1073750152, argc@entry=2, argv=0x7, argv@entry=0x89a0d88) at /usr/src/builddir/sapi/cli/php_cli.c:994
#15 0x080a5f43 in main (argc=2, argv=0x89a0d88) at /usr/src/builddir/sapi/cli/php_cli.c:1378
A debugging session is active.

        Inferior 1 [process 4588] will be killed.

Quit anyway? (y or n)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-30 11:53 UTC] richard dot fussenegger at trivago dot com

Possible duplicate of https://bugs.php.net/bug.php?id=72413

[2020-12-18 09:27 UTC] nikic@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic

[2020-12-18 09:27 UTC] nikic@php.net

This should be fixed by https://github.com/php/php-src/commit/bc166844e37a6e1531a18dc0916fbe508152fc6c.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC