php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33167 pg_fetch_array can cause a segfault
Submitted: 2005-05-28 00:59 UTC Modified: 2005-10-11 18:20 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: jsnell at networkninja dot com Assigned:
Status: Closed Package: PostgreSQL related
PHP Version: 5CVS-2005-10-02 (snap) OS: Debian (dotdeb), gentoo
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jsnell at networkninja dot com
New email:
PHP Version: OS:

 

 [2005-05-28 00:59 UTC] jsnell at networkninja dot com
Description:
------------
Calling pg_fetch_array() with the results of a division followed by calling it with a constant causes a segfault.  I have confirmed it in both cgi and mod php 5.0.4 and also in cgi php 5.0.3.

Reproduce code:
---------------
// need a valid database to connect to
// contents don't matter
$query = 'select 1 as one';

$db_user = "your_user";
$db_password =  "your_pass";
$db_name = "your_db";
$db_port = 5432;

$connect_string =  "user=$db_user " .
"password=$db_password " .
"port=$db_port ".
"dbname=$db_name";
$db_link = pg_connect($connect_string);

$result = pg_exec($db_link, $query);

$i = floor(4/5);
$data =  pg_fetch_array($result, $i);

$i = 0;
$data = pg_fetch_array($result, $i);

echo("No segfault");


Expected result:
----------------
No segfault

Actual result:
--------------
gdb backtrace:

#0  0x0820cf3b in _zend_hash_index_update_or_next_insert ()
#1  0x08209c53 in add_index_stringl ()
#2  0x406bee43 in zif_pg_fetch_result () from /usr/lib/php5/20041030/pgsql.so
#3  0x406bf10f in zif_pg_fetch_array () from /usr/lib/php5/20041030/pgsql.so
#4  0x0823c4da in zend_do_fcall_common_helper ()
#5  0x0823cb11 in zend_do_fcall_handler ()
#6  0x08224cb5 in execute ()
#7  0x08207e28 in zend_execute_scripts ()
#8  0x081d8bca in php_execute_script ()
#9  0x0824c3f4 in main ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-09-18 03:11 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz

And this time: TRY the snapshot for real. And provide the backtrace using that snapshot if the crash still happens.
 [2005-10-02 23:11 UTC] jsnell at networkninja dot com
I had to modify my source a bit to get any output.  For some reason PHP was exiting normally despite stopping half way through the script.  Here's the modified source:

<?php
error_reporting(E_STRICT | E_ALL);
$db_user = "db_user";
$db_password =  "db_pass";
$db_name = "db_name";
$db_port = 5432;

$connect_string =  "user=$db_user " .
"password=$db_password " .
"port=$db_port ".
"dbname=$db_name";

$db_link = pg_connect($connect_string);

$query = 'select 1 as one';
$result = pg_exec($db_link, $query);
$i = (float) floor(4/5);
echo("PRE"); flush();
$data =  pg_fetch_array($result, $i); // i think it gets corrupted here
echo('i:'.$i); flush();

$data = pg_fetch_array($result, ($i));
$data = pg_fetch_array($result, ($i));
echo("z\n");
?>

And the backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1213273280 (LWP 17172)]
0xb7d455e7 in memcpy () from /lib/tls/libc.so.6

(gdb) bt
#0  0xb7d455e7 in memcpy () from /lib/tls/libc.so.6
#1  0x08289e15 in concat_function (result=0xbfffc814, op1=0x8493d44,
    op2=0xbfffc540) at /usr/src/php5-200510021630/Zend/zend_operators.c:1180
#2  0x082c2bc8 in ZEND_CONCAT_SPEC_CONST_CV_HANDLER (execute_data=0xbfffc8a0)
    at zend_vm_execute.h:3502
#3  0x082bb177 in execute (op_array=0x848ce2c) at zend_vm_execute.h:88
#4  0x0828ea39 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/src/php5-200510021630/Zend/zend.c:1087
#5  0x08245090 in php_execute_script (primary_file=0xbfffed20)
    at /usr/src/php5-200510021630/main/main.c:1677
#6  0x0830943c in main (argc=4, argv=0xbfffedf4)
    at /usr/src/php5-200510021630/sapi/cli/php_cli.c:1039

Here's some extra information which I hope will help:

(gdb) frame 1
#1  0x08289e15 in concat_function (result=0xbfffc814, op1=0x8493d44,
    op2=0xbfffc540) at /usr/src/php5-200510021630/Zend/zend_operators.c:1180
1180                    memcpy(result->value.str.val+op1->value.str.len, op2->value.str.val, op2->value.str.len);
(gdb) print result->value.str
$1 = {val = 0x5d54802c "i:", len = 1515870812}
(gdb) print op1->value.str.len
$2 = 2
(gdb) print op2->value.str.val
$3 = 0x0
(gdb) print op2->value.str.len
$4 = 1515870810
(gdb)    

(gdb) frame 2
#2  0x082c2bc8 in ZEND_CONCAT_SPEC_CONST_CV_HANDLER (execute_data=0xbfffcd20)
    at zend_vm_execute.h:3502
3502            concat_function(&EX_T(opline->result.u.var).tmp_var,
(gdb) print *opline
$74 = {handler = 0x82c2b78 <ZEND_CONCAT_SPEC_CONST_CV_HANDLER>, result = {
    op_type = 2, u = {constant = {value = {lval = 580,
          dval = 2.86558074587923e-321, str = {
            val = 0x244 <Address 0x244 out of bounds>, len = 0}, ht = 0x244,
          obj = {handle = 580, handlers = 0x0}}, refcount = 0, type = 0 '\0',
        is_ref = 0 '\0'}, var = 580, opline_num = 580, op_array = 0x244,
      jmp_addr = 0x244, EA = {var = 580, type = 0}}}, op1 = {op_type = 1,
    u = {constant = {value = {lval = 139013284,
          dval = 4.3126732698705173e-314, str = {val = 0x8492ca4 "i:",
            len = 2}, ht = 0x8492ca4, obj = {handle = 139013284,
            handlers = 0x2}}, refcount = 2, type = 6 '\006',
        is_ref = 1 '\001'}, var = 139013284, opline_num = 139013284,
      op_array = 0x8492ca4, jmp_addr = 0x8492ca4, EA = {var = 139013284,
        type = 2}}}, op2 = {op_type = 16, u = {constant = {value = {lval = 8,
          dval = 3.3951932659396882e-313, str = {
            val = 0x8 <Address 0x8 out of bounds>, len = 16}, ht = 0x8,
          obj = {handle = 8, handlers = 0x10}}, refcount = 1,
        type = 6 '\006', is_ref = 0 '\0'}, var = 8, opline_num = 8,
      op_array = 0x8, jmp_addr = 0x8, EA = {var = 8, type = 16}}},
  extended_value = 0, lineno = 20, opcode = 8 '\b'}
 [2005-10-11 18:20 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 20:01:28 2024 UTC