php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34810 mysqli::init() and others use wrong $this pointer without checks
Submitted: 2005-10-10 14:37 UTC Modified: 2005-10-10 14:59 UTC
From: antony at zend dot com Assigned: tony2001 (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.1.0RC1 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: antony at zend dot com
New email:
PHP Version: OS:

 

 [2005-10-10 14:37 UTC] antony at zend dot com
Description:
------------
mysqli::init(), mysqli::connect() and mysqli_warning::__construct() use wrong inherited $this pointer without checking if this_ptr really points to the mysqli_object.
In particular conditions this can lead to segfault.

Reproduce code:
---------------
class DbConnection { 
    private $link = NULL; 

    public function connect() { 
        $this->link = mysqli::init();
        var_dump($this->link); 
    } 
} 

$db = new DbConnection(); 
$db->connect();

Actual result:
--------------
*** glibc detected *** free(): invalid pointer: 0xbfffece4 ***

Program received signal SIGABRT, Aborted.
[Switching to Thread 1076990336 (LWP 24078)]
0xffffe410 in ?? ()
(gdb) bt
#0  0xffffe410 in ?? ()
#1  0xbfffe224 in ?? ()
#2  0x00000006 in ?? ()
#3  0x00005e0e in ?? ()
#4  0x400ec2c1 in raise () from /lib/tls/libc.so.6
#5  0x400edb75 in abort () from /lib/tls/libc.so.6
#6  0x401207aa in __libc_message () from /lib/tls/libc.so.6
#7  0x40126007 in malloc_printerr () from /lib/tls/libc.so.6
#8  0x401276cb in free () from /lib/tls/libc.so.6
#9  0x080c1364 in mysqli_objects_destroy_object (object=0x85585a8, handle=3) at /usr/src/dev/orig/php-src_5_1/ext/mysqli/mysqli.c:152
#10 0x0826ed46 in zend_objects_store_call_destructors (objects=0x84b36ec) at /usr/src/dev/orig/php-src_5_1/Zend/zend_objects_API.c:55
#11 0x08249416 in shutdown_destructors () at /usr/src/dev/orig/php-src_5_1/Zend/zend_execute_API.c:190
#12 0x082559a6 in zend_call_destructors () at /usr/src/dev/orig/php-src_5_1/Zend/zend.c:817
#13 0x08214b38 in php_request_shutdown (dummy=0x0) at /usr/src/dev/orig/php-src_5_1/main/main.c:1210
#14 0x082c1093 in main (argc=2, argv=0xbfffefb4) at /usr/src/dev/orig/php-src_5_1/sapi/cli/php_cli.c:1142


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-10 14:59 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 10:01:30 2024 UTC