php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35563 phpmyadmin make seg fault with sql.php script
Submitted: 2005-12-06 00:42 UTC Modified: 2005-12-21 01:00 UTC
Votes:6
Avg. Score:4.2 ± 0.9
Reproduced:2 of 3 (66.7%)
Same Version:1 (50.0%)
Same OS:0 (0.0%)
From: edo at edo dot cl Assigned:
Status: No Feedback Package: MySQL related
PHP Version: 4.4.1 OS: solaris 8
Private report: No CVE-ID: None
 [2005-12-06 00:42 UTC] edo at edo dot cl
Description:
------------
I've update phpmyadmin to 2.7.0 and php to 4.4.1 , and the apache  crashes with follow logs:
[Mon Dec 05 20:27:22 2005] [notice] child pid 19823 exit signal Segmentation fault (11)
[Mon Dec 05 20:27:23 2005] [notice] child pid 17555 exit signal Segmentation fault (11)
[Mon Dec 05 20:27:24 2005] [notice] child pid 17553 exit signal Segmentation fault (11)
(three times per get sql.php script)

Below of gdb core with php-cli, replace the form values with inserted vars obtain the same error:
                         
GDB debug

#0  0xfeab31b4 in strlen () from /usr/lib/libc.so.1
#1  0x177cc8 in add_property_string_ex (arg=0x747220, key=0x3300b8 "def", key_len=4, str=0x1 <Address 0x1 out of bounds>, duplicate=1)
    at /export/home/broot/work5/php-4.4.1/Zend/zend_API.c:979
#2  0x9ea60 in zif_mysql_fetch_field (ht=7352416, return_value=0x747220, this_ptr=0x0, return_value_used=1)
    at /export/home/broot/work5/php-4.4.1/ext/mysql/php_mysql.c:2168
#3  0x1858c8 in execute (op_array=0x5dbec8) at /export/home/broot/work5/php-4.4.1/Zend/zend_execute.c:1675
#4  0x185650 in execute (op_array=0x46f280) at /export/home/broot/work5/php-4.4.1/Zend/zend_execute.c:1719
#5  0x175c4c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /export/home/broot/work5/php-4.4.1/Zend/zend.c:938
#6  0x146810 in php_execute_script (primary_file=0xffbef740) at /export/home/broot/work5/php-4.4.1/main/main.c:1743
#7  0x18ab08 in main (argc=2, argv=0xffbef7cc) at /export/home/broot/work5/php-4.4.1/sapi/cli/php_cli.c:830
(gdb) frame 3
#3  0x1858c8 in execute (op_array=0x5dbec8) at /export/home/broot/work5/php-4.4.1/Zend/zend_execute.c:1675
1675                                                            ((zend_internal_function *) EX(function_state).function)->handler(EX(opline)->extended_value, EX(Ts)[EX(opline)->result.u.var].var.ptr, EX(object).ptr, return_value_used TSRMLS_CC);
(gdb) frame 4
#4  0x185650 in execute (op_array=0x46f280) at /export/home/broot/work5/php-4.4.1/Zend/zend_execute.c:1719
1719                                                    zend_execute(EG(active_op_array) TSRMLS_CC);
(gdb) frame 2
#2  0x9ea60 in zif_mysql_fetch_field (ht=7352416, return_value=0x747220, this_ptr=0x0, return_value_used=1)
    at /export/home/broot/work5/php-4.4.1/ext/mysql/php_mysql.c:2168
2168            add_property_string(return_value, "def",(mysql_field->def?mysql_field->def:empty_string), 1);


Reproduce code:
---------------
phpmyadmin-2.7.0/sql.php , 4.1.15-standard-log , libmysql client version 12.

Expected result:
----------------
In normal situation, the problem happens when browse the data of  any table or only invocate sql.php (any SQL statement) with Zero size reply. In fact, i did try to send mailformed SQL sintax (bad sql command or incorrect table/fields name), and the script responses the mailformed sql send, so the problem happens after the SQL validation.


Actual result:
--------------
oot@fish:/usr/local/apache2/holding/php-my-admin#php -e sql2.php                                                                                                                       
         
Notice: Use of undefined constant web1 - assumed 'web1' in
/usr/local/apache2/holding/php-my-admin/sql2.php on line 13
              
Notice: Use of undefined constant web2 assumed 'web2' in
/usr/local/apache2/holding/php-my-admin/sql2.php on line 14
                                                           
Warning: Cannot modify header information - headers already sent by (output 
started at /usr/local/apache2/holding/php-my-admin/sql2.php:13) in
/usr/local/apache2/holding/php-my-admin/libraries/ob.lib.php on line 61
Segmentation Fault (core dumped)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-06 00:51 UTC] tony2001@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.


 [2005-12-06 01:04 UTC] edo at edo dot cl
Just see the sql.php script into phpmyadmin > 2.6.x , in my situation uses  2.7.0 version . Anothe interesting point says that sql.php don't crashes if use another sql different of SELECT, so the problem maybe involves the mysql_fetch_* structure.
 [2005-12-06 01:35 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.1-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.1-win32-latest.zip


 [2005-12-07 00:00 UTC] edo at edo dot cl
I've downloaded the snapshot, but now i have lot of new errors for linking c-client imap-wu library (required for horde support):

broot@server:~/work5/php5.1-200512061130#./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-mod_charset --enable-force-cgi-redirect --enable-fastcgi --enable-safe-mode --enable-sigchild --enable-magic-quotes --with-openssl=/usr/local/ssl --enable-calendar --with-dom=/usr/local --with-flatfile --enable-ftp --with-iconv --with-iconv-dir=/usr/local/lib --with-imap=../imap-2004g --with-java=/usr/java1.2 --with-openssl-dir=/usr/local/ssl --with-mime-magic --enable-soap --with-mysql=/usr/local/mysql --with-mysql-sock=/tmp/mysql.sock --enable-sockets --enable-sysvmsg --enable-sysvsem --enable-sysvshm --with-gettext=/usr --with-zlib --with-zlib-dir=/usr --enable-mbstring --enable-mbstring-enc-trans --with-iconv=/usr/local --enable-memory-limit

The linking process failed like this:
strtod.lo Zend/zend_objects.lo Zend/zend_object_handlers.lo Zend/zend_objects_API.lo Zend/zend_mm.lo Zend/zend_default_classes.lo Zend/zend_execute.lo sapi/apache2handler/mod_php5.lo sapi/apache2handler/sapi_apache2.lo sapi/apache2handler/apache_config.lo sapi/apache2handler/php_functions.lo main/internal_functions.lo -lcrypt -lc-client -lmysqlclient -lcrypt -lpam -liconv -lintl -lssl -lcrypto -lz -lssl -lcrypto -lresolv -lm -ldl -lsocket -lnsl -lgcc -lxml2 -lz -liconv -lm -lsocket -lnsl -lxml2 -lz -liconv -lm -lsocket -lnsl -lxml2 -lz -liconv -lm -lsocket -lnsl -lxml2 -lz -liconv -lm -lsocket -lnsl -lxml2 -lz -liconv -lm -lsocket -lnsl -lxml2 -lz -liconv -lm -lsocket -lnsl -lxml2 -lz -liconv -lm -lsocket -lnsl -lcrypt  -o libphp5.la
Text relocation remains                         referenced
    against symbol                  offset      in file
<unknown>                           0x2b2c      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
<unknown>                           0x2b30      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
<unknown>                           0x2b34      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
<unknown>                           0x2b38      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
<unknown>                           0x2b3c      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
<unknown>                           0x2b40      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
<unknown>                           0x2b44      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
<unknown>                           0x2b48      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
<unknown>                           0x2b4c      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
<unknown>                           0x2b50      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
<unknown>                           0x2b54      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
[ lot of errors]
time                                0x25f8      /export/home/broot/work5/imap-2004g/lib/libc-client.a(mh.o)
time                                0x2658      /export/home/broot/work5/imap-2004g/lib/libc-client.a(mx.o)
time                                0x2868      /export/home/broot/work5/imap-2004g/lib/libc-client.a(mx.o)
time                                0x1c0       /export/home/broot/work5/imap-2004g/lib/libc-client.a(netmsg.o)
fcntl                               0x795c      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
fcntl                               0x7978      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
fcntl                               0x7b18      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
fcntl                               0x96c0      /export/home/broot/work5/imap-2004g/lib/libc-client.a(osdep.o)
ld: fatal: relocations remain against allocatable but non-writable sections
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target `libphp5.la'

The platform is sun4u 32bits with solaris8 and many GNU tools installed. The imap c-client library were made with/out SSL support and the error are the same.
 [2005-12-07 10:57 UTC] tony2001@php.net
I'm sure IMAP is not required to get the GDB backrace.
 [2005-12-13 16:13 UTC] edo at edo dot cl
Dear tony, but i need to build PHP with support for c-client (horde) and support for phpmyadmin in the same machine, in 4.4.1 don't have this problem at build with this version or previus c-client libs, 

Thanks in advance
Edo.
 [2005-12-13 16:23 UTC] tony2001@php.net
You don't need IMAP to reproduce the issue and get the backtrace.
 [2005-12-21 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Nov 06 02:01:30 2024 UTC