php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17497 mssql extension crashes if magic_quotes_runtime is on
Submitted: 2002-05-28 20:30 UTC Modified: 2002-10-28 14:16 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:3 (100.0%)
From: ddb at bitxtender dot de Assigned:
Status: Closed Package: MSSQL related
PHP Version: 4.2.1 OS: Windows 2000
Private report: No CVE-ID:
 [2002-05-28 20:30 UTC] ddb at bitxtender dot de
I've found a bug in the mssql extension: If magic_quotes_runtime is set every mssql_fetch_* produces a crash of php due to double freed memory. The problem itself is produced in the following code: 

if (PG(magic_quotes_runtime)) {
data = php_addslashes(Z_STRVAL(result->data[result->cur_row][i]), Z_STRLEN(result->data[result->cur_row][i]), &Z_STRLEN(result->data[result->cur_row][i]), 1 TSRMLS_CC);

there the string stored in the zval gets freed without destroying the zval itself, so later if the destructor of the the zval gets called (in _free_result) the data is already freed and php crashes with a memory exception.

to (quick)fix this just change the function call to 
data = php_addslashes(Z_STRVAL(result->data[result->cur_row][i]), Z_STRLEN(result->data[result->cur_row][i]), &data_len, 0 TSRMLS_CC);

the data_len is there since the length of the passed string doesn't change and if it gets changed by php_addslashes we will get warnings of not 0 terminated strings sometimes. and the last parameter was changed to 0 so php_addslashes doesn't free the memory.

regards
Dominik del Bondio

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-28 14:16 UTC] sterling@php.net
Fixed in cvs, thanks...
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 09:02:28 2014 UTC