|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38710 data leakage because of nonexisting boundary checking in statements
Submitted: 2006-09-04 10:34 UTC Modified: 2007-07-11 12:28 UTC
From: domas at mysql dot com Assigned: georg
Status: Closed Package: MySQLi related
PHP Version: 5.1.6 OS: Any
Private report: No CVE-ID:
 [2006-09-04 10:34 UTC] domas at mysql dot com
If function is executed in a prepared statement (like CONCAT, 
UNCOMPRESS, etc), it allocates 8192-sized buffer, but fetch() 
doesn't check actual length of data. If data crosses 8192-byte 
boundary, all sorts of weird stuff starts to happen, including 
possible sensitive data disclosures of non-overwrited buffers 
(at smaller lengths) or process crashes (at bigger ones). 

Reproduce code:
$db=new mysqli("localhost","root","","test");
$qry->prepare("SELECT REPEAT('a',100000)");

Expected result:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-04 10:35 UTC] domas at mysql dot com
#0  0x007c758c in memcpy () from /lib/tls/
#1  0x081b6d91 in _estrndup ()
#2  0x05698383 in zif_mysqli_stmt_fetch (ht=147132188, 
return_value=0x8c420bc, return_value_ptr=0x0, 
this_ptr=0x8c50f1c, return_value_used=0)
    at /usr/src/redhat/BUILD/php-5.1.6/ext/mysqli/
#3  0x081e9a81 in zend_do_fcall_common_helper_SPEC ()
#4  0x081e93bb in execute ()
#5  0x081ce2e0 in zend_execute_scripts ()
#6  0x08192006 in php_execute_script ()
#7  0x00000000 in ?? ()
 [2007-03-08 22:51 UTC]
Please try using this CVS snapshot:
For Windows:

I've committed semi-fix (real fix would be to fetch all the data, I guess). 
 [2007-04-11 22:41 UTC]
Georg, any news on this?
I can't reproduce it locally, but seems to fail on, see
 [2007-07-11 12:28 UTC]
Should have been fixed by Stas.
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Thu Nov 26 16:01:32 2015 UTC