PHP :: Bug #81009 :: PDO statement segfault on invalid param

Bug #81009

PDO statement segfault on invalid param

Submitted:

2021-05-03 16:45 UTC

Modified:

2021-05-04 10:18 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	0 (0.0%)

From:

theo dot fidry at gmail dot com

Assigned:

cmb (profile)

Status:

Duplicate

Package:

PDO PgSQL

PHP Version:

7.4.18

OS:

OSX 11.2.3

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	theo dot fidry at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2021-05-03 16:45 UTC] theo dot fidry at gmail dot com

Description:
------------
We have in our code the following statement (done via Doctrine):

```
$stmt->bindValue(6, null, 1);
```

coming from an entity property of the type `?int` and for which the corresponding DB column is a nullable integer (PostgreSQL 12.3).

When upgrading from PHP 7.4.13 to 7.4.18 the above statement results in a segfault  once executing the query.

changing the `null` value into an int value or keeping the value `null` and changing the param type `1` to `0` both results in a successful execution on 7.4.18.

The related Doctrie code is https://github.com/doctrine/dbal/blob/2.13.x/lib/Doctrine/DBAL/Statement.php#L101-L121 as you can see it did not change in a log time and even if a failure is expected with an invalid type, I suspect a segfault is not the desired outcome.

Test script:
---------------
We are using the following except locally:

```
$kernel = new Kernel($_SERVER['APP_ENV'], (bool) $_SERVER['APP_DEBUG']);
$kernel->boot();

/** @var PDOStatement $stmt */
$stmt = $kernel->getContainer()
    ->get('doctrine.dbal.default_connection')
    ->prepare('INSERT INTO foo (col1, col2, col3, col4, col5, col6, col7) VALUES (?, ?, ?, ?, ?, ?, ?)');

$stmt->bindValue(1, 16527, 1);
$stmt->bindValue(2, 'ee3b3a2d-f01a-4455-a509-629bf2780ca6', 2);
$stmt->bindValue(3, '2021-05-03T16:09:31Z', 2);
$stmt->bindValue(4, 'certificationGranted', 2);
$stmt->bindValue(5, 'foo', 2);
$stmt->bindValue(6, null, 1);
$stmt->bindValue(7, '3e2456b7-49c2-46de-ad7d-1b3f4c1b5663', 2);

$stmt = $stmt->execute(null);
```


Expected result:
----------------
Not a segfault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-05-04 01:22 UTC] rwahyudi at gmail dot com

Confirmed that we hit the same bug on RHEL7 and can reproduce the issue. 

When hitting this bug, we get the following error on /var/log/message : 

kernel: php74[6170]: segfault at 18 ip 00007fb376c68fe7 sp 00007ffc46b4d280 error 4 in libc-2.17.so[7fb376c2e000+1c4000]

strace result : 

open("vendor/doctrine/dbal/lib/Doctrine/DBAL/Statement.php", O_RDONLY) = 14
fstat(14, {st_mode=S_IFREG|0644, st_size=23012, ...}) = 0
read(14, "<?php\n\nnamespace Doctrine\\DBAL;\n"..., 23012) = 23012
fcntl(4, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=0, l_len=1}) = 0
fcntl(4, F_SETLK, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=0, l_len=1}) = 0
close(14)                               = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x18} ---
+++ killed by SIGSEGV ++

[2021-05-04 10:18 UTC] cmb@php.net

-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb

[2021-05-04 10:18 UTC] cmb@php.net

This is a duplicate of bug #81002, which will be fixed in
PHP 7.4.19 and 8.0.6.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Nov 24 21:01:35 2024 UTC