|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35759 mysqli_stmt_bind_result() makes huge allocation when column empty
Submitted: 2005-12-21 07:41 UTC Modified: 2005-12-27 10:44 UTC
From: squasar at eternalviper dot net Assigned: andrey (profile)
Status: Closed Package: MySQLi related
PHP Version: 5CVS-2005-12-25 (snap) OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: squasar at eternalviper dot net
New email:
PHP Version: OS:


 [2005-12-21 07:41 UTC] squasar at eternalviper dot net
If a MEDIUMBLOB column has an empty value (length of zero), 
mysqli_stmt_bind_result() attempts to allocate a buffer of 16M 
for it. The offending code is in mysqli_api.c, line 332:

if (stmt->stmt->fields[ofs].max_length == 0) {

This will be true if the column is empty as well as in the 
case where the user has not called store_result(). The result 
is the code using the value of length instead of max_length, 
which is 16M for a mediumblob.

Reproduce code:
Assume there exists a table:


$m = new mysqli( MY_DB_HOST, MY_DB_USER, MY_DB_PASS );
$s = new mysqli_stmt( $m, "SELECT some_blob FROM a_table WHERE some_blob='' LIMIT 1" );
print_r( $s->result_metadata()->fetch_fields() );
$s->bind_result( $data );
print_r( $data );


Expected result:
    [0] => stdClass Object
            [name] => some_blob
            [orgname] => some_blob
            [table] => a_table
            [orgtable] => a_table
            [def] => 
            [max_length] => 0
            [length] => 0
            [charsetnr] => 63
            [flags] => 144
            [type] => 252
            [decimals] => 0


Actual result:
    [0] => stdClass Object
            [name] => some_blob
            [orgname] => some_blob
            [table] => a_table
            [orgtable] => a_table
            [def] => 
            [max_length] => 0
            [length] => 16777215
            [charsetnr] => 63
            [flags] => 144
            [type] => 252
            [decimals] => 0


Fatal error: Allowed memory size of 8388608 bytes exhausted 
(tried to allocate 16777216 bytes) in test.php on line 8


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-22 19:14 UTC]
Should be fixed by now.
Thanks for reporting!
 [2005-12-25 02:56 UTC] squasar at eternalviper dot net
I apologize for misunderstanding; this is fixed in 5.1.2-
CVS, but I'm used to there being a "This bug has been fixed 
in CVS." message for that. Regardless, the test case in CVS 
(ext/mysqli/tests/bug35759.phpt) is non-functional for the 
issue; it does not check that memory limits are enabled or 
ensure than a memory limit is set if so, and thus does not 
necessarily test the problem (The default memory limit if 
it's been compiled in is of course 8M, but this can't and 
shouldn't be relied upon). Here's the unified diff of my 

Index: ext/mysqli/tests/bug35759.phpt
RCS file: /repository/php-src/ext/mysqli/tests/Attic/
retrieving revision
diff -u -r1.1.2.1 bug35759.phpt
--- ext/mysqli/tests/bug35759.phpt      22 Dec 2005 18:11:39 
+++ ext/mysqli/tests/bug35759.phpt      25 Dec 2005 01:51:31 
@@ -1,7 +1,10 @@
 bug #35759 : mysqli_stmt_bind_result() makes huge 
allocation when column empty
-<?php require_once(''); ?>
+<?php require_once(''); 
+if ( !function_exists( 'memory_get_usage' ) ) die( 'skip 
requires --enable-memory-limit' ); ?>
 [2005-12-25 10:48 UTC]
Andrey, please check it out.
 [2005-12-27 10:44 UTC]
the bug wasn't specific only to PHP compiled with memory limit. The test cases pushes to the limit so it checks for regression problem if mysqli will try to allocate 16M for every column in the result set which has MAX()=0. Not every PHP build is done with memory_limit enabled so this test case checks the common case. If there is a problem PHP will explode with OOM. 16M * 1000 = 16G to be alloced
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Apr 16 18:01:23 2021 UTC