PHP :: Bug #39134 :: PHP + FreeTDS 0.64 crashes when TEXT field with empty string encountered

Bug #39134

PHP + FreeTDS 0.64 crashes when TEXT field with empty string encountered

Submitted:

2006-10-12 08:45 UTC

Modified:

2007-07-19 01:00 UTC

Votes:	5
Avg. Score:	5.0 ± 0.0
Reproduced:	4 of 4 (100.0%)
Same Version:	2 (50.0%)
Same OS:	3 (75.0%)

From:

jr-phpbugs at cedric dot unob dot cz

Assigned:

Status:

No Feedback

Package:

MSSQL related

PHP Version:

4.4.4

OS:

linux (irrelevant)

Private report:

CVE-ID:

None

View Developer Edit

[2006-10-12 08:45 UTC] jr-phpbugs at cedric dot unob dot cz

Description:
------------
PHP, compiled with --with-sybase-ct=/usr/localFreeTDS crashes with segmentation fault on SELECT from column of type TEXT with empty string value.

Observed on PHP compiled with --with-sybase-ct=/path/to/freetds-0.64/prefix , against MSSQL server 2000

Affects FreeTDS 0.64 and 0.64.1 (with 'post64.patch.gz' applied). Has not been observed with FreeTDS 0.63.

FreeTDS 0.64 alone (without PHP) is not affected.

Possible bug in ext/sybase_ct/php_sybase_ct.c


Reproduce code:
---------------
in MSSQL Enterprise manager:

CREATE TABLE [dbo].[TEST] (
	[TEST_ID] [int] IDENTITY (1, 1) NOT NULL ,
	[TEST_VALUE] [int] NOT NULL ,
	[TEST_TEXT] [text] NULL
) 
insert into TEST (TEST_VALUE) values ('5');
insert into TEST (TEST_VALUE,TEST_TEXT) values ('6','');

in PHP script:
...
$query="SELECT test_text FROM test WHERE test_id=2;
$res=mssql_query($query,$db);


Expected result:
----------------
Empty string.

Actual result:
--------------
PHP crashes with segmentation fault.

CLI version:
- crash with "segmentation fault" message

libphp4.so version:
- affected thread produces a line "[notice] child pid XXXXX exit signal Segmentation fault (11)"  in Apache's error log.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-10-12 09:32 UTC] jr-phpbugs at cedric dot unob dot cz

Since I omitted double-quotes at the end of the query, here's the corrected one:

$query="SELECT test_text FROM test WHERE test_id=2";

[2006-10-12 10:32 UTC] jr-phpbugs at cedric dot unob dot cz

(gdb) bt
#0  0x003e830f in memcpy () from /lib/libc.so.6
#1  0x0816d0ca in _estrndup (s=0x838a4ac "", length=137940992,
    __zend_filename=0x8235d40 "/usr/local/src/php/php-4.4.4/ext/sybase_ct/php_sybase_ct.c", __zend_lineno=1185, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/local/src/php/php-4.4.4/Zend/zend_alloc.c:409
#2  0x0813627c in php_sybase_fetch_result_row (result=0x838b450, numrows=-1)
    at /usr/local/src/php/php-4.4.4/ext/sybase_ct/php_sybase_ct.c:1185
#3  0x08136857 in php_sybase_fetch_result_set (sybase_ptr=0x8352334,
    buffered=0, store=-1)
    at /usr/local/src/php/php-4.4.4/ext/sybase_ct/php_sybase_ct.c:1333
#4  0x08136ed3 in php_sybase_query (ht=-1, return_value=0x8389c14,
    this_ptr=0x0, return_value_used=1, buffered=0)
    at /usr/local/src/php/php-4.4.4/ext/sybase_ct/php_sybase_ct.c:1497
#5  0x081371e9 in zif_sybase_query (ht=2, return_value=0x8389c14,
    this_ptr=0x0, return_value_used=1)
    at /usr/local/src/php/php-4.4.4/ext/sybase_ct/php_sybase_ct.c:1626
#6  0x0818819c in execute (op_array=0x83522ac)
    at /usr/local/src/php/php-4.4.4/Zend/zend_execute.c:1675
#7  0x0817a183 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/local/src/php/php-4.4.4/Zend/zend.c:934
#8  0x0815336b in php_execute_script (primary_file=0xbfffdbe0)
    at /usr/local/src/php/php-4.4.4/main/main.c:1752
#9  0x0818c938 in main (argc=4, argv=0xbfffdc74)
    at /usr/local/src/php/php-4.4.4/sapi/cli/php_cli.c:832
#10 0x00381bb4 in __libc_start_main () from /lib/libc.so.6

(gdb) frame 6
#6  0x0818819c in execute (op_array=0x83522ac)
    at /usr/local/src/php/php-4.4.4/Zend/zend_execute.c:1675
1675                                                            ((zend_internal_function *) EX(function_state).function)->handler(EX(opline)->extended_value, EX(Ts)[EX(opline)->result.u.var].var.ptr, EX(object).ptr, return_value_used TSRMLS_CC);

(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$4 = 0x82358ed "mssql_query"

(gdb) print (char *)executor_globals.active_op_array->function_name
$5 = 0x0

(gdb) print (char *)executor_globals.active_op_array->filename
$6 = 0x83563b4 "/root/crash.php3"

[2006-10-31 05:22 UTC] cameron dot mcshane at csiro dot au

I have also experienced this problem. Details:

SuSE SLES 9
php 4.4.2 ('./configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--prefix=/usr/local/php' '--with-sybase-ct=/usr/local/freetds')
FreeTDS 0.64
MS MSL 2000

Have tested code as provided in original bug report.

CLI version:
- crash with "segmentation fault" message

libphp4.so version:
- affected thread produces a line "[notice] child pid XXXXX exit signal
Segmentation fault (11)"  in Apache's error log.

backtrace included below:


Program received signal SIGSEGV, Segmentation fault.
0x4014c40c in memcpy () from /lib/tls/libc.so.6
(gdb) bt
#0  0x4014c40c in memcpy () from /lib/tls/libc.so.6
#1  0x0811d82b in _estrndup (s=0x820522c "", length=136454143) at /usr/src/php-4.4.2/Zend/zend_alloc.c:387
#2  0x080e6c18 in php_sybase_fetch_result_row (result=0x81e825f, numrows=-1) at /usr/src/php-4.4.2/ext/sybase_ct/php_sybase_ct.c:1185
#3  0x080e8586 in php_sybase_fetch_result_set (sybase_ptr=0x81caf7c, buffered=0, store=<value optimized out>)
    at /usr/src/php-4.4.2/ext/sybase_ct/php_sybase_ct.c:1333
#4  0x080e8bbb in php_sybase_query (ht=<value optimized out>, return_value=0x81cdb1c, this_ptr=<value optimized out>, return_value_used=1, buffered=0)
    at /usr/src/php-4.4.2/ext/sybase_ct/php_sybase_ct.c:1497
#5  0x0813ad3c in execute (op_array=0x81caf14) at /usr/src/php-4.4.2/Zend/zend_execute.c:1675
#6  0x08129623 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-4.4.2/Zend/zend.c:934
#7  0x0810181e in php_execute_script (primary_file=0xbffff3c0) at /usr/src/php-4.4.2/main/main.c:1753
#8  0x0813bda2 in main (argc=2, argv=0xbffff484) at /usr/src/php-4.4.2/sapi/cli/php_cli.c:830
(gdb) frame 5
#5  0x0813ad3c in execute (op_array=0x81caf14) at /usr/src/php-4.4.2/Zend/zend_execute.c:1675
1675                                                            ((zend_internal_function *) EX(function_state).function)->handler(EX(opline)->extended_value, EX(Ts)[EX(opline)->result.u.var].var.ptr, EX(object).ptr, return_value_used TSRMLS_CC);
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x8150075 "mssql_query"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x0
(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0x81cefdc ""
(gdb)

[2006-10-31 15:41 UTC] fmk@php.net

try using --with-mssql instead of --with-sybase-ct. When you are compiling with the sybase option you are not using the MSSQL extension but the sybase extension that happens to have aliasses so you can use mssql_* when you call the functions.

- Frank

[2006-11-01 09:49 UTC] jr-phpbugs at cedric dot unob dot cz

Tested & confirmed: php_mssql extension does not have the problem described. It is a php_sybase_ct extension bug in connection with FreeTDS 0.64.

[2007-06-07 17:01 UTC] tsidelinger at columbuslibrary dot org

We are experiencing a similar issue.  Our php scripts will segment fault when a NULL record is encountered.

PHP version: php4-4.3.4-43.77
OS: SLES9 x86_64
FreeTDS Version: 0.64
ODBC Version: unixODBC-2.2.12-13

Our development server is 32 bits, but otherwise identical.  Everything works great in development.

We have tried the same sql queries via isql and the work just fine.  Thus, this seems like a PHP issue.

Here is a sample PHP script below.

<html>
<body>
<table>

<?php
# connect to the Database
$connect = odbc_connect("volunteens-devl", "xxxxxxx", "xxxxxxxx");

# query the users table for all fields
$query = "select top 20 registration_date from REGISTRATIONS";

# perform the query
$result = odbc_exec($connect, $query);

# fetch the data from the database
while(odbc_fetch_row($result))
{
    $field1 = odbc_result($result, 1);
    print("<tr><td>$field1</td></tr>");
    }

# close the connection
odbc_close($connect);

?>

</table>
</body>
</html>

[2007-07-11 13:01 UTC] jani@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi

[2007-07-19 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2008-11-20 14:20 UTC] afriabdul_md at yahoo dot co dot in

request

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 12:01:31 2024 UTC