php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34818 new mysqli_stmt() crashes if first parameter is not a valid mysqli_link
Submitted: 2005-10-10 21:24 UTC Modified: 2005-10-10 22:06 UTC
From: squasar at eternalviper dot net Assigned: tony2001
Status: Closed Package: MySQLi related
PHP Version: 5.1.0RC1 OS: *
Private report: No CVE-ID:
 [2005-10-10 21:24 UTC] squasar at eternalviper dot net
Description:
------------
Calling __construct() on mysqli_stmt with an unset variable 
as the mysqli_link crashes PHP in mysqli_stmt_construct. 
Note that this is actually 5.1.0RC2 (CVS tag 
php_5_1_0RC2_PRE). This may affect other MySQLi functions
(?). A possible fix, minus a more informative error message 
is here, but my instinct says there may be more going on 
behind this than the check in MYSQLI_FETCH_RESOURCE() since 
passing a literal NULL or similar instead of an undefined 
variable gives an error message instead of crashing.

Index: ext/mysqli/php_mysqli.h
============================================================
=======
RCS file: /repository/php-src/ext/mysqli/php_mysqli.h,v
retrieving revision 1.54
diff -u -r1.54 php_mysqli.h
--- ext/mysqli/php_mysqli.h     3 Aug 2005 14:07:31 -0000       
1.54
+++ ext/mysqli/php_mysqli.h     10 Oct 2005 19:17:35 -0000
@@ -202,7 +202,12 @@
 #define MYSQLI_FETCH_RESOURCE(__ptr, __type, __id, __name) 
\
 { \
        MYSQLI_RESOURCE *my_res; \
-       mysqli_object *intern = (mysqli_object *)
zend_object_store_get_object(*(__id) TSRMLS_CC);\
+       mysqli_object *intern = NULL; \
+       if (Z_TYPE_PP(__id) != IS_OBJECT) {\
+               php_error(E_WARNING, "Object parameter 
invalid"); \
+               RETURN_NULL(); \
+       } \
+       intern = (mysqli_object *)
zend_object_store_get_object(*(__id) TSRMLS_CC);\
        if (!(my_res = (MYSQLI_RESOURCE *)intern->ptr)) {\
                php_error(E_WARNING, "Couldn't fetch %s", 
intern->zo.ce->name);\
                RETURN_NULL();\


Reproduce code:
---------------
<?php $s = new mysqli_stmt( $undefined, "SELECT 1 FROM DUAL" ); ?>


Expected result:
----------------
Warning: Object parameter invalid in - on line 1

Actual result:
--------------
Bus error

Thread 0 Crashed:
0   php 	0x000c1bb8 zif_mysqli_stmt_construct + 252 
(mysqli.c:675)
1   php 	0x0020ab88 zend_do_fcall_common_helper_SPEC + 1560 
(zend_vm_execute.h:184)
2   php 	0x0020a4c4 execute + 520 (zend_vm_execute.h:87)
3   php 	0x001e0630 zend_execute_scripts + 444 (zend.c:
1079)
4   php 	0x00195334 php_execute_script + 780 (main.c:1679)
5   php 	0x002921ac main + 3684 (php_cli.c:1040)
6   php 	0x00002b58 _start + 344 (crt.c:272)
7   php 	0x000029fc start + 60


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-10 22:06 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 17:01:58 2014 UTC