php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38535 PDO::errorInfo() many memory errors in pdo_pgsql
Submitted: 2006-08-21 13:58 UTC Modified: 2006-08-21 16:54 UTC
From: pierre@php.net Assigned: iliaa
Status: Closed Package: PDO related
PHP Version: 5CVS-2006-08-21 (CVS) OS: All
Private report: No CVE-ID:
 [2006-08-21 13:58 UTC] pierre@php.net
Description:
------------
Using any kind of error, errorInfo uses unitialized or already freed memory.

This simple script shows the problem.

It is on AMD64, using pgsql 8.1.4

Reproduce code:
---------------
$dsn = 'pgsql:host=localhost;port=5432;dbname=foo;';
$user = 'test';
$password = '12345';
$pdo = new PDO($dsn, $user, $password);

$sql = "INSERT INTO
bar
(
 field
 ) VALUES (
'value',,
)
 ";

if (!$pdo->query($sql)) {
    var_dump($pdo->errorInfo());
} else {
    var_dump("ok");
}


Actual result:
--------------
==21482== Use of uninitialised value of size 8
==21482==    at 0x5680DE9: BN_mod_exp_mont_consttime (in /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x56A25E7: (within /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x54D2451: ssl3_send_client_key_exchange (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x54D3737: ssl3_connect (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x4FE9DDD: pqsecure_open_client (in /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDDC1B: PQconnectPoll (in /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDF5D0: (within /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDF84E: PQconnectdb (in /usr/lib/libpq.so.4.1)
==21482==    by 0x5475CC: pdo_pgsql_handle_factory (pgsql_driver.c:670)
==21482==    by 0x535055: zim_PDO_dbh_constructor (pdo_dbh.c:372)
==21482==    by 0x70205C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==21482==    by 0x703312: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==21482==
==21482== Use of uninitialised value of size 8
==21482==    at 0x56819C0: BN_num_bits_word (in /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x5681A22: BN_num_bits (in /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x5680A87: BN_mod_exp_mont_consttime (in /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x56A2801: (within /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x54D273E: ssl3_send_client_key_exchange (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x54D3737: ssl3_connect (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x4FE9DDD: pqsecure_open_client (in /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDDC1B: PQconnectPoll (in /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDF5D0: (within /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDF84E: PQconnectdb (in /usr/lib/libpq.so.4.1)
==21482==    by 0x5475CC: pdo_pgsql_handle_factory (pgsql_driver.c:670)
==21482==    by 0x535055: zim_PDO_dbh_constructor (pdo_dbh.c:372)
==21482==
==21482== Use of uninitialised value of size 8
==21482==    at 0x5680DE9: BN_mod_exp_mont_consttime (in /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x56A2801: (within /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x54D273E: ssl3_send_client_key_exchange (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x54D3737: ssl3_connect (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x4FE9DDD: pqsecure_open_client (in /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDDC1B: PQconnectPoll (in /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDF5D0: (within /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDF84E: PQconnectdb (in /usr/lib/libpq.so.4.1)
==21482==    by 0x5475CC: pdo_pgsql_handle_factory (pgsql_driver.c:670)
==21482==    by 0x535055: zim_PDO_dbh_constructor (pdo_dbh.c:372)
==21482==    by 0x70205C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==21482==    by 0x703312: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==21482==
==21482== Conditional jump or move depends on uninitialised value(s)
==21482==    at 0x4C5697E: (within /usr/lib/libz.so.1.2.3)
==21482==    by 0x4C57645: (within /usr/lib/libz.so.1.2.3)
==21482==    by 0x4C57E89: deflate (in /usr/lib/libz.so.1.2.3)
==21482==    by 0x56FB24C: (within /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x56FAEB1: COMP_compress_block (in /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x54D60DB: ssl3_do_compress (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x54D633E: (within /usr/lib/libssl.so.0.9.8)
==21482==    by 0x54D661D: ssl3_write_bytes (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x4FEA4B5: pqsecure_write (in /usr/lib/libpq.so.4.1)
==21482==    by 0x4FE333B: (within /usr/lib/libpq.so.4.1)
==21482==    by 0x4FE0C1B: PQsendQuery (in /usr/lib/libpq.so.4.1)
==21482==    by 0x4FE12E8: PQexec (in /usr/lib/libpq.so.4.1)
==21482==
==21482== Source and destination overlap in memcpy(0x6D502F0, 0x6D5031C, 200)
==21482==    at 0x4A1BA62: memcpy (mac_replace_strmem.c:394)
==21482==    by 0x6BDA14: _estrndup (zend_alloc.c:1733)
==21482==    by 0x6DDB4C: add_next_index_string (zend_API.c:1194)
==21482==    by 0x537608: zim_PDO_errorInfo (pdo_dbh.c:979)
==21482==    by 0x70205C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==21482==    by 0x703312: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==21482==    by 0x7019B9: execute (zend_vm_execute.h:92)
==21482==    by 0x6DBC37: zend_execute_scripts (zend.c:1095)
==21482==    by 0x68C928: php_execute_script (main.c:1759)
==21482==    by 0x768D09: main (php_cli.c:1097)
array(3) {
  [0]=>
  string(200) "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ�̏*ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ�̏*"
  [1]=>
  int(7)
  [2]=>
  string(51) "ERROR:  syntax error at or near "," at character 99"
}
==21482==
==21482== Conditional jump or move depends on uninitialised value(s)
==21482==    at 0x4C56946: (within /usr/lib/libz.so.1.2.3)
==21482==    by 0x4C57645: (within /usr/lib/libz.so.1.2.3)
==21482==    by 0x4C57E89: deflate (in /usr/lib/libz.so.1.2.3)
==21482==    by 0x56FB24C: (within /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x56FAEB1: COMP_compress_block (in /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x54D60DB: ssl3_do_compress (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x54D633E: (within /usr/lib/libssl.so.0.9.8)
==21482==    by 0x54D661D: ssl3_write_bytes (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x4FEA4B5: pqsecure_write (in /usr/lib/libpq.so.4.1)
==21482==    by 0x4FE333B: (within /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDCBB6: (within /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDCBDD: PQfinish (in /usr/lib/libpq.so.4.1)
==21482==
==21482== Conditional jump or move depends on uninitialised value(s)
==21482==    at 0x4C56901: (within /usr/lib/libz.so.1.2.3)
==21482==    by 0x4C57645: (within /usr/lib/libz.so.1.2.3)
==21482==    by 0x4C57E89: deflate (in /usr/lib/libz.so.1.2.3)
==21482==    by 0x56FB24C: (within /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x56FAEB1: COMP_compress_block (in /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x54D60DB: ssl3_do_compress (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x54D633E: (within /usr/lib/libssl.so.0.9.8)
==21482==    by 0x54D661D: ssl3_write_bytes (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x4FEA4B5: pqsecure_write (in /usr/lib/libpq.so.4.1)
==21482==    by 0x4FE333B: (within /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDCBB6: (within /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDCBDD: PQfinish (in /usr/lib/libpq.so.4.1)
==21482==
==21482== Conditional jump or move depends on uninitialised value(s)
==21482==    at 0x4C5690C: (within /usr/lib/libz.so.1.2.3)
==21482==    by 0x4C57645: (within /usr/lib/libz.so.1.2.3)
==21482==    by 0x4C57E89: deflate (in /usr/lib/libz.so.1.2.3)
==21482==    by 0x56FB24C: (within /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x56FAEB1: COMP_compress_block (in /usr/lib/libcrypto.so.0.9.8)
==21482==    by 0x54D60DB: ssl3_do_compress (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x54D633E: (within /usr/lib/libssl.so.0.9.8)
==21482==    by 0x54D661D: ssl3_write_bytes (in /usr/lib/libssl.so.0.9.8)
==21482==    by 0x4FEA4B5: pqsecure_write (in /usr/lib/libpq.so.4.1)
==21482==    by 0x4FE333B: (within /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDCBB6: (within /usr/lib/libpq.so.4.1)
==21482==    by 0x4FDCBDD: PQfinish (in /usr/lib/libpq.so.4.1)
==21482==
==21482== ERROR SUMMARY: 43800 errors from 21 contexts (suppressed: 17 from 3)
==21482== malloc/free: in use at exit: 59,508 bytes in 1,951 blocks.
==21482== malloc/free: 23,706 allocs, 21,755 frees, 3,598,515 bytes allocated.
==21482== For counts of detected errors, rerun with: -v
==21482== searching for pointers to 1,951 not-freed blocks.
==21482== checked 2,543,544 bytes.
==21482==
==21482== LEAK SUMMARY:
==21482==    definitely lost: 292 bytes in 11 blocks.
==21482==      possibly lost: 0 bytes in 0 blocks.
==21482==    still reachable: 59,216 bytes in 1,940 blocks.
==21482==         suppressed: 0 bytes in 0 blocks.
==21482== Use --leak-check=full to see details of leaked memory.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-08-21 16:54 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 21:01:55 2014 UTC