php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44333 SEGFAULT when using mysql_pconnect() with client_flags
Submitted: 2008-03-04 21:03 UTC Modified: 2008-03-04 22:32 UTC
From: drake at oomkill dot net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.2.6RC1 OS: Hardened Gentoo Linux (amd64)
Private report: No CVE-ID:
 [2008-03-04 21:03 UTC] drake at oomkill dot net
Description:
------------
Segfaults appear when using:
mysql_pconnect('localhost', 'foo', 'bar', 0);
but runs fine when using:
mysql_pconnect('localhost', 'foo', 'bar');

The bug is most likely caused by trying to store a 'long' value in an 'int' on the stack.

At the beginning of php_mysql_do_connect() in ext/mysql/php_mysql.c there is the following declaration:
int client_flags = 0;

Later in that function zend_parse_parameters() stores a long at &client_flags, which can also overwrite another variable on the stack.

Changing the client_flags to unsigned long (like it is defined in mysql's headers) solved my segfault problem.


Reproduce code:
---------------
// the user/pass don't have to be valid.
mysql_pconnect('localhost', 'foo', 'bar', 0);


Expected result:
----------------
No segfault.

Actual result:
--------------
Segfault. No php/zend error message in logs.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-04 22:32 UTC] felipe@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 25 07:02:14 2014 UTC