PHP :: Bug #74376 :: Invalid free of persistent results on error/connection loss

Bug #74376

Invalid free of persistent results on error/connection loss

Submitted:

2017-04-05 18:51 UTC

Modified:

2017-04-10 05:58 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

dev at pp3345 dot net

Assigned:

krakjoe (profile)

Status:

Closed

Package:

MySQL related

PHP Version:

7.1.3

OS:

Irrelevant

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	dev at pp3345 dot net
New email:
PHP Version:		OS:

New Comment:

[2017-04-05 18:51 UTC] dev at pp3345 dot net

Description:
------------
mysqlnd allocates result objects in mysqlnd_result.c:1899 (mysqlnd_result_init):
	MYSQLND_RES * ret = mnd_pecalloc(1, alloc_size, persistent);

Note that these objects may be allocated persistently if the underlying connection is persistent. Normally these objects will be free'd in mysqlnd_result.c:347 (mysqlnd_res::free_result_internal):
	mnd_pefree(result, result->persistent);
Here, the persistency flag is respected.

However, in some cases (query errors or connection loss), mysqlnd_ps.c will use mnd_efree() instead of mnd_pefree() to free a result object:
line 132 (mysqlnd_stmt::store_result):
	mnd_efree(stmt->result);
line 359 (mysqlnd_stmt_prepare_read_eof):
	mnd_efree(stmt->result);

This will cause segfaults/"zend_mm_heap corrupted" in the above-mentioned cases.

Test script:
---------------
<?php

$conn = new PDO("mysql:...", "...", "...", [PDO::ATTR_PERSISTENT => true, PDO::ATTR_EMULATE_PREPARES => false]);
$conn->query("select (select 1 union select 2)");

Expected result:
----------------
Script executes successfully.

Actual result:
--------------
segfault

Patches

Pull Requests

Pull requests:

Fix bug 74376 (php-src/2454)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-04-10 05:58 UTC] krakjoe@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: krakjoe

[2017-04-10 05:58 UTC] krakjoe@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Not sure why this didn't close automatically.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 22:01:28 2024 UTC