php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75927 Crash when using subquery which returns more than 1 row
Submitted: 2018-02-06 15:29 UTC Modified: 2020-12-12 00:39 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: s dot pfalz at webcookies dot de Assigned: dharman (profile)
Status: Closed Package: MySQLi related
PHP Version: 7.0.28 OS: Fedora 27
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: s dot pfalz at webcookies dot de
New email:
PHP Version: OS:

 

 [2018-02-06 15:29 UTC] s dot pfalz at webcookies dot de 
Description:
------------
When executing the code below PHP-FPM interpreter crashes with sigsegv and dumps core.
The problem is related to the subquery, which should normally return only 1 row, but in my case it would return 2 rows, which of course cannot work and I expected an error code: "Error Code: 1242. Subquery returns more than 1 row". 
However i got a crash (503 Service unavailable) and a coredump was written.





Test script:
---------------
<?php
$mysqli = new mysqli("localhost","xyz","xyz_2k17","xyz");
if($mysqli->connect_errno)
  {
  die("Cannot connect: ".$mysqli->connect_error);
  }
$SQL=<<<EOM
SELECT  bc.ID AS BOOKING_CUSTOMER_ID,
        bc.REF_ORDER_ID,
        bc.BOOKING_NUMBER,
        bc.STATUS,
        UNIX_TIMESTAMP(bc.PAYMENT_DATE) AS BOOKING_PAYMENT_DATE,
        bc.PAYMENT_SUM,
        bc.BOOKING_STATUS,
        bc.BOOKING_STATUS_CODE,
        bc.BOOKING_MESSAGE,
        bc.TRANSACTION_ID,
        UNIX_TIMESTAMP(bc.BOOKING_DATE) AS BC_BOOKING_DATE,
        UNIX_TIMESTAMP(EXECUTION_DATE) AS BC_EXECUTION_DATE,
        UNIX_TIMESTAMP(bc.CDATE) AS BOOKING_CUSTOMER_CDATE,
        UNIX_TIMESTAMP(bc.MDATE) AS BOOKING_CUSTOMER_MDATE,
        (SELECT PAYMENT_SUM+PENALTY_FEE+PROCESSING_FEE+LAWYER_FEE FROM xyz_failed_payments fp WHERE fp.REF_BOOKING_ID=bc.ID) AS PAYMENT_FEE
 FROM   xyz_order_booking_customer bc
 WHERE  bc.REF_ORDER_ID=?
 ORDER  BY bc.BOOKING_NUMBER
EOM;
if(!($stmt = $mysqli->prepare($SQL)))
  {
  die("PREPARE FAILED: ".$mysqli->error);
  }
$id = 9;
if(!$stmt->bind_param("i",$id))
  {
  die("Binding failed: ".$stmt->error);
  }
if(!$stmt->execute())
  {
  die("Execute failed! ".$stmt->error);
  }


Expected result:
----------------
Execute should give an error:
Error Code: 1242. Subquery returns more than 1 row



Actual result:
--------------
Segmentation fault (core dumped)

Backtrace:

#0  0x00000000008ebdd0 in php_mysqlnd_stmt_fetch_pub ()
#1  0x00007fb77d479188 in ?? ()
#2  0x00007ffc0bbbd71f in ?? ()
#3  0x0000000001329e60 in m_sbox ()
#4  0x0000000000000001 in ?? ()
#5  0x00007fb77d487008 in ?? ()
#6  0x00007ffc0bbbda00 in ?? ()
#7  0x00000000008e47c4 in php_mysqlnd_result_buffered_num_rows_pub ()
#8  0x00007fb77d46c248 in ?? ()
#9  0x00007fb77d487008 in ?? ()
#10 0x00007fb77d472148 in ?? ()
#11 0x00007fb77d487008 in ?? ()
#12 0x00007fb77d46d008 in ?? ()
#13 0x00000000008ea263 in php_mysqlnd_debug_set_mode_pub ()
#14 0x18ac670d3c77163f in ?? ()
#15 0x0000000000000000 in ?? ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-07 06:14 UTC] s dot pfalz at webcookies dot de 
Sorry, backtrace was against php-fpm, but I've tested on CLI :(

Here's the correct trace:

0  0x00000000008ebdd0 in mysqlnd_stmt_fetch_row_unbuffered ()
#1  0x00000000008e47c4 in php_mysqlnd_res_skip_result_pub ()
#2  0x00000000008ea263 in php_mysqlnd_stmt_net_close_priv ()
#3  0x00000000008e97be in php_mysqlnd_stmt_dtor_pub ()
#4  0x0000000000720c6f in mysqli_stmt_free_storage ()
#5  0x000000000099dfaa in zend_objects_store_del ()
#6  0x00000000009700f1 in zend_hash_reverse_apply ()
#7  0x000000000094d7ed in shutdown_destructors ()
#8  0x000000000095e7a4 in zend_call_destructors ()
#9  0x00000000008f300d in php_request_shutdown ()
#10 0x0000000000a0657a in do_cli ()
#11 0x000000000045000b in main ()
 [2018-03-02 11:19 UTC] s dot pfalz at webcookies dot de
-PHP Version: 7.0.27 +PHP Version: 7.0.28
 [2018-03-02 11:19 UTC] s dot pfalz at webcookies dot de 
Just tested against php 7.0.28, still the same. To make it easier to reproduce, a stripped down script including table structure and testdata is provided.

Tescript:

<?php
/*
CREATE TABLE t1
  (
  ID    BIGINT  NOT NULL AUTO_INCREMENT,
  VAL   VARCHAR(100)   NOT NULL,
  PRIMARY KEY(ID)
  )
 ENGINE=InnoDB
 CHARACTER SET utf8;

CREATE TABLE t2
  (
  ID          BIGINT  NOT NULL AUTO_INCREMENT,
  REF_T1_ID   BIGINT  NOT NULL,
  VAL_T2      VARCHAR(100),
  PRIMARY KEY(ID)
  )
 ENGINE=InnoDB
 CHARACTER SET utf8;

INSERT INTO t1 VALUES(1,'TEST1');
INSERT INTO t1 VALUES(2,'TEST2');

INSERT INTO t2 VALUES(1,1,'REF_TEST1.1');
INSERT INTO t2 VALUES(2,1,'REF_TEST1.2');
*/

$mysqli = new mysqli("localhost","siegel","siegel","siegel");
if($mysqli->connect_errno)
  {
  die("Cannot connect: ".$mysqli->connect_error);
  }
$SQL=<<<EOM
SELECT  t1.ID,
        t1.VAL,
        (SELECT t2.VAL_T2 FROM t2 WHERE REF_T1_ID=t1.ID) AS VAL2
  FROM  t1
 WHERE  t1.ID=?
EOM;
if(!($stmt = $mysqli->prepare($SQL)))
  {
  die("PREPARE FAILED: ".$mysqli->error);
  }
$id = 1;
if(!$stmt->bind_param("i",$id))
  {
  die("Binding failed: ".$stmt->error);
  }
if(!$stmt->execute())
  {
  die("Execute failed! ".$stmt->error);
  }

Backtrace after Core Dump:

Core was generated by `php mysqli_bug_75927.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000000008ebce0 in mysqlnd_stmt_fetch_row_unbuffered ()
(gdb) bt
#0  0x00000000008ebce0 in mysqlnd_stmt_fetch_row_unbuffered ()
#1  0x00000000008e46d4 in php_mysqlnd_res_skip_result_pub ()
#2  0x00000000008ea173 in php_mysqlnd_stmt_net_close_priv ()
#3  0x00000000008e96ce in php_mysqlnd_stmt_dtor_pub ()
#4  0x0000000000720b3f in mysqli_stmt_free_storage ()
#5  0x000000000099deaa in zend_objects_store_del ()
#6  0x000000000096fff1 in zend_hash_reverse_apply ()
#7  0x000000000094d6fd in shutdown_destructors ()
#8  0x000000000095e6a4 in zend_call_destructors ()
#9  0x00000000008f2f1d in php_request_shutdown ()
#10 0x0000000000a0647a in do_cli ()
#11 0x000000000045001b in main ()
 [2020-12-12 00:39 UTC] dharman@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: dharman
 [2020-12-12 00:39 UTC] dharman@php.net 
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at
http://www.php.net/downloads.php

This was fixed in 7.4.13. Commit: https://github.com/php/php-src/commit/b03776adb5bbb9b54731a44377632fcc94a59d2f
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Dec 27 04:01:29 2024 UTC