PHP :: Bug #38710 :: data leakage because of nonexisting boundary checking in statements

Bug #38710	data leakage because of nonexisting boundary checking in statements
Submitted:	2006-09-04 10:34 UTC	Modified:	2007-07-11 12:28 UTC
From:	domas at mysql dot com	Assigned:	georg (profile)
Status:	Closed	Package:	MySQLi related
PHP Version:	5.1.6	OS:	Any
Private report:	No	CVE-ID:	None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 36 + 39 = ?
Subscribe to this entry?

[2006-09-04 10:34 UTC] domas at mysql dot com

Description:
------------
If function is executed in a prepared statement (like CONCAT, 
UNCOMPRESS, etc), it allocates 8192-sized buffer, but fetch() 
doesn't check actual length of data. If data crosses 8192-byte 
boundary, all sorts of weird stuff starts to happen, including 
possible sensitive data disclosures of non-overwrited buffers 
(at smaller lengths) or process crashes (at bigger ones). 



Reproduce code:
---------------
$db=new mysqli("localhost","root","","test");
$qry=$db->stmt_init();
$qry->prepare("SELECT REPEAT('a',100000)");
$qry->execute();
$qry->bind_result($text);
$qry->fetch();



Expected result:
----------------
silence

Actual result:
--------------
crash!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-09-04 10:35 UTC] domas at mysql dot com

#0  0x007c758c in memcpy () from /lib/tls/libc.so.6
#1  0x081b6d91 in _estrndup ()
#2  0x05698383 in zif_mysqli_stmt_fetch (ht=147132188, 
return_value=0x8c420bc, return_value_ptr=0x0, 
this_ptr=0x8c50f1c, return_value_used=0)
    at /usr/src/redhat/BUILD/php-5.1.6/ext/mysqli/
mysqli_api.c:717
#3  0x081e9a81 in zend_do_fcall_common_helper_SPEC ()
#4  0x081e93bb in execute ()
#5  0x081ce2e0 in zend_execute_scripts ()
#6  0x08192006 in php_execute_script ()
#7  0x00000000 in ?? ()

[2006-09-04 16:45 UTC] georg@php.net

see also http://bugs.mysql.com/bug.php?id=22001

[2007-03-08 22:51 UTC] stas@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

I've committed semi-fix (real fix would be to fetch all the data, I guess).

[2007-04-11 22:41 UTC] tony2001@php.net

Georg, any news on this?
I can't reproduce it locally, but seems to fail on gcov.php.net, see http://gcov.php.net/viewer.php?version=PHP_5_2&func=tests&file=ext%2Fmysqli%2Ftests%2Fbug38710.phpt

[2007-07-11 12:28 UTC] andrey@php.net

Should have been fixed by Stas.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 04:00:01 2025 UTC