php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33201 segfault in _emalloc called from php_mssql_get_column_content_with_type
Submitted: 2005-05-31 13:53 UTC Modified: 2005-11-18 22:24 UTC
From: skissane at iips dot mq dot edu dot au Assigned: fmk
Status: Closed Package: MSSQL related
PHP Version: 5CVS-2005-11-07 (snap) OS: Linux
Private report: No CVE-ID:
 [2005-05-31 13:53 UTC] skissane at iips dot mq dot edu dot au
Description:
------------
Segmentation fault.



Reproduce code:
---------------
<?
$q = mssql_connect("<server>","<username>","<password>");
$i = mssql_query("SELECT * FROM MSSQLTrace_99",$q);
while (mssql_fetch_row($i) !== FALSE);

Where the  MSSQLTrace_99 table is created by the following MSSQL script (a bit too big for a bug database):
http://www.iips.mq.edu.au/php_mssql_bug.txt

Expected result:
----------------
No output.

Actual result:
--------------
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 29878)]
0x40440bef in _int_malloc () from /lib/i686/libc.so.6
(gdb) bt
#0  0x40440bef in _int_malloc () from /lib/i686/libc.so.6
#1  0x404422ac in malloc () from /lib/i686/libc.so.6
#2  0x0815ac58 in _emalloc (size=1078913472) at /home/skissane/php-5.0.4/Zend/zend_alloc.c:182
#3  0x0809151e in php_mssql_get_column_content_with_type (mssql_ptr=0x827079c, offset=1078913472, result=0x828319c, column_type=1078910980)
    at /home/skissane/php-5.0.4/ext/mssql/php_mssql.c:877
#4  0x08091daf in _mssql_fetch_batch (mssql_ptr=0x827079c, result=0x826b5cc, retvalue=-1) at /home/skissane/php-5.0.4/ext/mssql/php_mssql.c:1104
#5  0x0809222e in zif_mssql_query (ht=33, return_value=0x8270a54, this_ptr=0x0, return_value_used=1) at /home/skissane/php-5.0.4/ext/mssql/php_mssql.c:1225
#6  0x081882ce in zend_do_fcall_common_helper (execute_data=0xbfffd510, opline=0x826f980, op_array=0x826b53c)
    at /home/skissane/php-5.0.4/Zend/zend_execute.c:2727
#7  0x081858ca in execute (op_array=0x826b53c) at /home/skissane/php-5.0.4/Zend/zend_execute.c:1406
#8  0x0816b79f in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/skissane/php-5.0.4/Zend/zend.c:1069
#9  0x0813eb73 in php_execute_script (primary_file=0xbffff8d0) at /home/skissane/php-5.0.4/main/main.c:1632
#10 0x0818ebe8 in main (argc=2, argv=0xbffff954) at /home/skissane/php-5.0.4/sapi/cli/php_cli.c:946
#11 0x403f3912 in __libc_start_main () from /lib/i686/libc.so.6

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-06 23:58 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip


 [2005-11-07 02:24 UTC] skissane at iips dot mq dot edu dot au
With latest snapshot the segfault is no longer happening... but malloc corruption is still occuring, which makes me wonder whether it really has been fixed or just changed in some way which makes this testcase no longer trigger the bug...

> ./configure --with-mssql --disable-cgi --enable-cli --disable-debug && make clean && make && sapi/cli/php bug33201.php
*** glibc detected *** sapi/cli/php: malloc(): memory corruption: 0x09546be0 ***
======= Backtrace: =========
/lib/libc.so.6[0xc800ea]
/lib/libc.so.6(malloc+0x74)[0xc81492]
sapi/cli/php(_emalloc+0x2f)[0x81ccde3]
sapi/cli/php[0x80a5a7d]
sapi/cli/php[0x80a989c]
sapi/cli/php(zif_mssql_query+0x2eb)[0x80a9e47]
sapi/cli/php[0x8200588]
sapi/cli/php(execute+0xf5)[0x81ffd89]
sapi/cli/php(zend_execute_scripts+0x1f3)[0x81e09c3]
sapi/cli/php(php_execute_script+0x21a)[0x81ad776]
sapi/cli/php(main+0xd60)[0x8262160]
/lib/libc.so.6(__libc_start_main+0xdf)[0xc30d5f]
sapi/cli/php[0x807bc29]
======= Memory map: ========
<ommitted...>

> ./configure --with-mssql --disable-cgi --enable-cli --enable-debug && make clean && make && sapi/cli/php bug33201.php
[Mon Nov  7 12:12:37 2005]  Script:  'bug33201.php'
---------------------------------------
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.h(35) : Block 0x090E9980 status:
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.c(36) : Actual location (location was relayed)
Beginning:      OK (allocated on /home/skissane/unpacked/php5-200511062130/ext/mssql/php_mssql.c:907, 19 bytes)
      End:      Overflown (magic=0x2A8FCC00 instead of 0x2A8FCC84)
                1 byte(s) overflown
---------------------------------------
[Mon Nov  7 12:12:37 2005]  Script:  'bug33201.php'
---------------------------------------
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.h(35) : Block 0x090E9DB0 status:
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.c(36) : Actual location (location was relayed)
Beginning:      OK (allocated on /home/skissane/unpacked/php5-200511062130/ext/mssql/php_mssql.c:907, 19 bytes)
      End:      Overflown (magic=0x2A8FCC00 instead of 0x2A8FCC84)
                1 byte(s) overflown
---------------------------------------
[Mon Nov  7 12:12:37 2005]  Script:  'bug33201.php'
---------------------------------------
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.h(35) : Block 0x090EA268 status:
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.c(36) : Actual location (location was relayed)
Beginning:      OK (allocated on /home/skissane/unpacked/php5-200511062130/ext/mssql/php_mssql.c:907, 19 bytes)
      End:      Overflown (magic=0x2A8FCC00 instead of 0x2A8FCC84)
                1 byte(s) overflown
---------------------------------------
[Mon Nov  7 12:12:37 2005]  Script:  'bug33201.php'
---------------------------------------
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.h(35) : Block 0x090EA2B0 status:
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.c(36) : Actual location (location was relayed)
Beginning:      OK (allocated on /home/skissane/unpacked/php5-200511062130/ext/mssql/php_mssql.c:907, 9 bytes)
      End:      Overflown (magic=0x35373232 instead of 0x2A8FCC84)
                At least 4 bytes overflown
---------------------------------------
[Mon Nov  7 12:12:37 2005]  Script:  'bug33201.php'
---------------------------------------
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.h(35) : Block 0x090EA828 status:
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.c(36) : Actual location (location was relayed)
Beginning:      OK (allocated on /home/skissane/unpacked/php5-200511062130/ext/mssql/php_mssql.c:907, 19 bytes)
      End:      Overflown (magic=0x2A8FCC00 instead of 0x2A8FCC84)
                1 byte(s) overflown
---------------------------------------
[Mon Nov  7 12:12:37 2005]  Script:  'bug33201.php'
---------------------------------------
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.h(35) : Block 0x090EAF18 status:
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.c(36) : Actual location (location was relayed)
Beginning:      OK (allocated on /home/skissane/unpacked/php5-200511062130/ext/mssql/php_mssql.c:907, 19 bytes)
      End:      Overflown (magic=0x2A8FCC00 instead of 0x2A8FCC84)
                1 byte(s) overflown
---------------------------------------
[Mon Nov  7 12:12:37 2005]  Script:  'bug33201.php'
---------------------------------------
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.h(35) : Block 0x090EAF60 status:
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.c(36) : Actual location (location was relayed)
Beginning:      OK (allocated on /home/skissane/unpacked/php5-200511062130/ext/mssql/php_mssql.c:907, 9 bytes)
      End:      Overflown (magic=0x36383934 instead of 0x2A8FCC84)
                At least 4 bytes overflown
---------------------------------------
[Mon Nov  7 12:12:37 2005]  Script:  'bug33201.php'
---------------------------------------
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.h(35) : Block 0x090EA9A8 status:
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.c(36) : Actual location (location was relayed)
Beginning:      OK (allocated on /home/skissane/unpacked/php5-200511062130/ext/mssql/php_mssql.c:907, 19 bytes)
      End:      Overflown (magic=0x2A8FCC00 instead of 0x2A8FCC84)
                1 byte(s) overflown
---------------------------------------
[Mon Nov  7 12:12:37 2005]  Script:  'bug33201.php'
---------------------------------------
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.h(35) : Block 0x090EA9F0 status:
/home/skissane/unpacked/php5-200511062130/Zend/zend_variables.c(36) : Actual location (location was relayed)
Beginning:      OK (allocated on /home/skissane/unpacked/php5-200511062130/ext/mssql/php_mssql.c:907, 9 bytes)
      End:      Overflown (magic=0x37323331 instead of 0x2A8FCC84)
                At least 4 bytes overflown
---------------------------------------
/home/skissane/unpacked/php5-200511062130/ext/mssql/php_mssql.c(907) :  Freeing 0x090EAA14 (9 bytes), script=bug33201.php
Last leak repeated 8 times
=== Total 9 memory leaks detected ===
 [2005-11-07 15:55 UTC] sniper@php.net
Frank, fix please? :)
 [2005-11-18 22:24 UTC] fmk@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 08:02:33 2014 UTC