php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44202 PDO_PGSQL crash when trying to use emulated PS
Submitted: 2008-02-21 11:07 UTC Modified: 2008-02-27 00:01 UTC
From: uwendel at mysql dot com Assigned:
Status: Closed Package: PDO related
PHP Version: 5.3CVS-2008-02-21 (CVS) OS: Linux
Private report: No CVE-ID:
 [2008-02-21 11:07 UTC] uwendel at mysql dot com
Description:
------------
I was trying to force PDO_PGSQL into emulated PS mode to show that not only PDO_MYSQL but also PDO_PGSQL might suffer from an emulated PS parser flaw and found this crash:

$pdo = new PDO(...);
$stmt = $pdo->prepare('SELECT "?"', array(PDO::ATTR_EMULATE_PREPARES => 1));
$stmt->execute(array("questionmark"));

PDO_PGSQL seems to be the only driver but PDO_MYSQL which you can force to use emulated PS. However, PDO_MYSQL and PDO_PGSQL use different approaches for enforcing emulation. PDO_MYSQL uses $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, ...) and PDO_PGSQL requires you to use $pdo->prepare(..., array(PDO::ATTR_EMULATE_PREPARES => ...)). So, one uses setAttribute() and the other uses prepare(). As PDO is aimed to be a database access layer abstraction, I wonder if this could be unified. 

Reproduce code:
---------------
nixnutz@ulflinux:~/php53> valgrind sapi/cli/php -r '$pdo = new PDO("pgsql:host=localhost port=5432 dbname=phptest user=postgres password="); $stmt = $pdo->prepare("SELECT \"?\"", array(PDO::ATTR_EMULATE_PREPARES => 1));  $stmt->execute(array("questionmark"));'
==10277== Memcheck, a memory error detector.
==10277== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==10277== Using LibVEX rev 1732, a library for dynamic binary translation.
==10277== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==10277== Using valgrind-3.2.3, a dynamic binary instrumentation framework.
==10277== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==10277== For more details, rerun with: -v
==10277==
==10277== Conditional jump or move depends on uninitialised value(s)
==10277==    at 0x715D43F: slpmloclfv (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==10277==    by 0x715D17E: slpmloc (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==10277==    by 0x715A6A4: lpmloadpkg (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==10277==    by 0x71404EE: lfvLoadPkg (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==10277==    by 0x7140179: lfvSetShlMode (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==10277==    by 0x713FF78: lfvini1 (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==10277==    by 0x713FC94: lfvinit (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==10277==    by 0x6D62C29: kpummpin (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==10277==    by 0x66CC064: kpuenvcr (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==10277==    by 0x676CE5D: OCIEnvCreate (in /usr/lib/oracle/10.2.0.3/client64/lib/libclntsh.so.10.1)
==10277==    by 0x49D857: zm_startup_pdo_oci (pdo_oci.c:96)
==10277==    by 0x603A86: zend_startup_module_ex (zend_API.c:1607)
==10277==
==10277== Invalid read of size 4
==10277==    at 0x608EA0: zend_hash_num_elements (zend_hash.c:1014)
==10277==    by 0x4A2BF2: pgsql_stmt_param_hook (pgsql_statement.c:254)
==10277==    by 0x495C13: dispatch_param_event (pdo_stmt.c:173)
==10277==    by 0x49785A: zim_PDOStatement_execute (pdo_stmt.c:494)
==10277==    by 0x62C1B3: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:190)
==10277==    by 0x61E4DA: execute (zend_vm_execute.h:91)
==10277==    by 0x5F1A42: zend_eval_string (zend_execute_API.c:1278)
==10277==    by 0x5F1BB7: zend_eval_string_ex (zend_execute_API.c:1311)
==10277==    by 0x68A81C: main (php_cli.c:1175)
==10277==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==10277==
==10277== Process terminating with default action of signal 11 (SIGSEGV)
==10277==  Access not within mapped region at address 0x8
==10277==    at 0x608EA0: zend_hash_num_elements (zend_hash.c:1014)
==10277==    by 0x4A2BF2: pgsql_stmt_param_hook (pgsql_statement.c:254)
==10277==    by 0x495C13: dispatch_param_event (pdo_stmt.c:173)
==10277==    by 0x49785A: zim_PDOStatement_execute (pdo_stmt.c:494)
==10277==    by 0x62C1B3: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:190)
==10277==    by 0x61E4DA: execute (zend_vm_execute.h:91)
==10277==    by 0x5F1A42: zend_eval_string (zend_execute_API.c:1278)
==10277==    by 0x5F1BB7: zend_eval_string_ex (zend_execute_API.c:1311)
==10277==    by 0x68A81C: main (php_cli.c:1175)
==10277==
==10277== Invalid free() / delete / delete[]
==10277==    at 0x4C2191B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==10277==    by 0x7D7EB6A: (within /lib64/libc-2.6.1.so)
==10277==    by 0x7D7E738: __libc_freeres (in /lib64/libc-2.6.1.so)
==10277==    by 0x4A1D354: _vgnU_freeres (in /usr/lib64/valgrind/amd64-linux/vgpreload_core.so)
==10277==    by 0x4A2BF2: pgsql_stmt_param_hook (pgsql_statement.c:254)
==10277==    by 0x495C13: dispatch_param_event (pdo_stmt.c:173)
==10277==    by 0x49785A: zim_PDOStatement_execute (pdo_stmt.c:494)
==10277==    by 0x62C1B3: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:190)
==10277==    by 0x61E4DA: execute (zend_vm_execute.h:91)
==10277==    by 0x5F1A42: zend_eval_string (zend_execute_API.c:1278)
==10277==    by 0x5F1BB7: zend_eval_string_ex (zend_execute_API.c:1311)
==10277==    by 0x68A81C: main (php_cli.c:1175)
==10277==  Address 0x4049978 is not stack'd, malloc'd or (recently) free'd
==10277==
==10277== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 20 from 2)
==10277== malloc/free: in use at exit: 3,103,433 bytes in 10,493 blocks.
==10277== malloc/free: 11,015 allocs, 523 frees, 3,424,549 bytes allocated.
==10277== For counts of detected errors, rerun with: -v
==10277== searching for pointers to 10,493 not-freed blocks.
==10277== checked 4,530,496 bytes.
==10277==
==10277== LEAK SUMMARY:
==10277==    definitely lost: 0 bytes in 0 blocks.
==10277==      possibly lost: 0 bytes in 0 blocks.
==10277==    still reachable: 3,103,433 bytes in 10,493 blocks.
==10277==         suppressed: 0 bytes in 0 blocks.
==10277== Rerun with --leak-check=full to see details of leaked memory.
Speicherzugriffsfehler

Expected result:
----------------
Fix the crash


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-02-27 00:01 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 12:01:59 2014 UTC