php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33167 pg_fetch_array can cause a segfault
Submitted: 2005-05-28 00:59 UTC Modified: 2005-10-11 18:20 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: jsnell at networkninja dot com Assigned:
Status: Closed Package: PostgreSQL related
PHP Version: 5CVS-2005-10-02 (snap) OS: Debian (dotdeb), gentoo
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jsnell at networkninja dot com
New email:
PHP Version: OS:

 

 [2005-05-28 00:59 UTC] jsnell at networkninja dot com
Description:
------------
Calling pg_fetch_array() with the results of a division followed by calling it with a constant causes a segfault.  I have confirmed it in both cgi and mod php 5.0.4 and also in cgi php 5.0.3.

Reproduce code:
---------------
// need a valid database to connect to
// contents don't matter
$query = 'select 1 as one';

$db_user = "your_user";
$db_password =  "your_pass";
$db_name = "your_db";
$db_port = 5432;

$connect_string =  "user=$db_user " .
"password=$db_password " .
"port=$db_port ".
"dbname=$db_name";
$db_link = pg_connect($connect_string);

$result = pg_exec($db_link, $query);

$i = floor(4/5);
$data =  pg_fetch_array($result, $i);

$i = 0;
$data = pg_fetch_array($result, $i);

echo("No segfault");


Expected result:
----------------
No segfault

Actual result:
--------------
gdb backtrace:

#0  0x0820cf3b in _zend_hash_index_update_or_next_insert ()
#1  0x08209c53 in add_index_stringl ()
#2  0x406bee43 in zif_pg_fetch_result () from /usr/lib/php5/20041030/pgsql.so
#3  0x406bf10f in zif_pg_fetch_array () from /usr/lib/php5/20041030/pgsql.so
#4  0x0823c4da in zend_do_fcall_common_helper ()
#5  0x0823cb11 in zend_do_fcall_handler ()
#6  0x08224cb5 in execute ()
#7  0x08207e28 in zend_execute_scripts ()
#8  0x081d8bca in php_execute_script ()
#9  0x0824c3f4 in main ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-09-18 03:11 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz

And this time: TRY the snapshot for real. And provide the backtrace using that snapshot if the crash still happens.
 [2005-10-02 23:11 UTC] jsnell at networkninja dot com
I had to modify my source a bit to get any output.  For some reason PHP was exiting normally despite stopping half way through the script.  Here's the modified source:

<?php
error_reporting(E_STRICT | E_ALL);
$db_user = "db_user";
$db_password =  "db_pass";
$db_name = "db_name";
$db_port = 5432;

$connect_string =  "user=$db_user " .
"password=$db_password " .
"port=$db_port ".
"dbname=$db_name";

$db_link = pg_connect($connect_string);

$query = 'select 1 as one';
$result = pg_exec($db_link, $query);
$i = (float) floor(4/5);
echo("PRE"); flush();
$data =  pg_fetch_array($result, $i); // i think it gets corrupted here
echo('i:'.$i); flush();

$data = pg_fetch_array($result, ($i));
$data = pg_fetch_array($result, ($i));
echo("z\n");
?>

And the backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1213273280 (LWP 17172)]
0xb7d455e7 in memcpy () from /lib/tls/libc.so.6

(gdb) bt
#0  0xb7d455e7 in memcpy () from /lib/tls/libc.so.6
#1  0x08289e15 in concat_function (result=0xbfffc814, op1=0x8493d44,
    op2=0xbfffc540) at /usr/src/php5-200510021630/Zend/zend_operators.c:1180
#2  0x082c2bc8 in ZEND_CONCAT_SPEC_CONST_CV_HANDLER (execute_data=0xbfffc8a0)
    at zend_vm_execute.h:3502
#3  0x082bb177 in execute (op_array=0x848ce2c) at zend_vm_execute.h:88
#4  0x0828ea39 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/src/php5-200510021630/Zend/zend.c:1087
#5  0x08245090 in php_execute_script (primary_file=0xbfffed20)
    at /usr/src/php5-200510021630/main/main.c:1677
#6  0x0830943c in main (argc=4, argv=0xbfffedf4)
    at /usr/src/php5-200510021630/sapi/cli/php_cli.c:1039

Here's some extra information which I hope will help:

(gdb) frame 1
#1  0x08289e15 in concat_function (result=0xbfffc814, op1=0x8493d44,
    op2=0xbfffc540) at /usr/src/php5-200510021630/Zend/zend_operators.c:1180
1180                    memcpy(result->value.str.val+op1->value.str.len, op2->value.str.val, op2->value.str.len);
(gdb) print result->value.str
$1 = {val = 0x5d54802c "i:", len = 1515870812}
(gdb) print op1->value.str.len
$2 = 2
(gdb) print op2->value.str.val
$3 = 0x0
(gdb) print op2->value.str.len
$4 = 1515870810
(gdb)    

(gdb) frame 2
#2  0x082c2bc8 in ZEND_CONCAT_SPEC_CONST_CV_HANDLER (execute_data=0xbfffcd20)
    at zend_vm_execute.h:3502
3502            concat_function(&EX_T(opline->result.u.var).tmp_var,
(gdb) print *opline
$74 = {handler = 0x82c2b78 <ZEND_CONCAT_SPEC_CONST_CV_HANDLER>, result = {
    op_type = 2, u = {constant = {value = {lval = 580,
          dval = 2.86558074587923e-321, str = {
            val = 0x244 <Address 0x244 out of bounds>, len = 0}, ht = 0x244,
          obj = {handle = 580, handlers = 0x0}}, refcount = 0, type = 0 '\0',
        is_ref = 0 '\0'}, var = 580, opline_num = 580, op_array = 0x244,
      jmp_addr = 0x244, EA = {var = 580, type = 0}}}, op1 = {op_type = 1,
    u = {constant = {value = {lval = 139013284,
          dval = 4.3126732698705173e-314, str = {val = 0x8492ca4 "i:",
            len = 2}, ht = 0x8492ca4, obj = {handle = 139013284,
            handlers = 0x2}}, refcount = 2, type = 6 '\006',
        is_ref = 1 '\001'}, var = 139013284, opline_num = 139013284,
      op_array = 0x8492ca4, jmp_addr = 0x8492ca4, EA = {var = 139013284,
        type = 2}}}, op2 = {op_type = 16, u = {constant = {value = {lval = 8,
          dval = 3.3951932659396882e-313, str = {
            val = 0x8 <Address 0x8 out of bounds>, len = 16}, ht = 0x8,
          obj = {handle = 8, handlers = 0x10}}, refcount = 1,
        type = 6 '\006', is_ref = 0 '\0'}, var = 8, opline_num = 8,
      op_array = 0x8, jmp_addr = 0x8, EA = {var = 8, type = 16}}},
  extended_value = 0, lineno = 20, opcode = 8 '\b'}
 [2005-10-11 18:20 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 13 04:01:26 2024 UTC