|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2009-04-20 18:10 UTC] andrey dot hristov at sun dot com
[2010-04-07 20:34 UTC] andrey@php.net
-Status: Assigned
+Status: Closed
[2010-04-07 20:34 UTC] andrey@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Wed May 01 22:01:31 2024 UTC |
Description: ------------ ext/mysqli/tests/mysqli_stmt_bind_result.phpt crashes. The invalid write and the crash it causes are reproducible both in ZTS and non-ZTS modes. # mysql --version mysql Ver 14.12 Distrib 5.0.26, for suse-linux-gnu (x86_64) using readline 5.1 Using ./configure --with-mysqli seems to be enough (i.e. no mysqlnd used). Reproduce code: --------------- See ext/mysqli/tests/mysqli_stmt_bind_result.phpt Actual result: -------------- GDB bt: Program terminated with signal 11, Segmentation fault. #0 0x00000000006e2027 in mysqli_stmt_fetch_libmysql (ht=1, return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:842 842 if (Z_TYPE_P(stmt->result.vars[i]) == IS_STRING) { (gdb) bt #0 0x00000000006e2027 in mysqli_stmt_fetch_libmysql (ht=1, return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:842 #1 0x00000000006e2aaa in zif_mysqli_stmt_fetch (ht=1, return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:984 #2 0x0000000000d3e3ca in zend_do_fcall_common_helper_SPEC (execute_data=0x2b7bf7ab3970, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:315 #3 0x0000000000d48039 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x2b7bf7ab3970, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:1574 #4 0x0000000000d3c7ef in execute (op_array=0x1bf0240, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:104 #5 0x0000000000ce945f in zend_execute_scripts (type=8, tsrm_ls=0x18940c0, retval=0x0, file_count=3) at /local/qa/5_3.gcov/Zend/zend.c:1197 #6 0x0000000000bff458 in php_execute_script (primary_file=0x7fffb30af670, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/main/main.c:2074 #7 0x0000000000e04d76 in main (argc=61, argv=0x7fffb30af8c8) at /local/qa/5_3.gcov/sapi/cli/php_cli.c:1130 Valgrind log: ==25793== Invalid write of size 1 ==25793== at 0x5CC414: mysqli_stmt_fetch_libmysql (mysqli_api.c:826) ==25793== by 0x5CCC93: zif_mysqli_stmt_fetch (mysqli_api.c:984) ==25793== by 0x9E374D: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:315) ==25793== by 0x9EA1EE: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1574) ==25793== by 0x9E21FF: execute (zend_vm_execute.h:104) ==25793== by 0x9AD109: zend_execute_scripts (zend.c:1197) ==25793== by 0x90F5E1: php_execute_script (main.c:2074) ==25793== by 0xA618F0: main (php_cli.c:1130) ==25793== Address 0x8b83368 is 0 bytes after a block of size 256 alloc'd ==25793== at 0x4C22DAB: malloc (vg_replace_malloc.c:207) ==25793== by 0x97D83A: _emalloc (zend_alloc.c:2285) ==25793== by 0x5C9EBB: mysqli_stmt_bind_result_do_bind (mysqli_api.c:407) ==25793== by 0x5CA55C: zif_mysqli_stmt_bind_result (mysqli_api.c:499) ==25793== by 0x9E374D: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:315) ==25793== by 0x9EA1EE: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1574) ==25793== by 0x9E21FF: execute (zend_vm_execute.h:104) ==25793== by 0x9AD109: zend_execute_scripts (zend.c:1197) ==25793== by 0x90F5E1: php_execute_script (main.c:2074) ==25793== by 0xA618F0: main (php_cli.c:1130) ==25793== ==25793== Invalid read of size 8 ==25793== at 0x997C36: _zval_ptr_dtor (zend_execute_API.c:422) ==25793== by 0x9A950A: _zval_ptr_dtor_wrapper (zend_variables.c:175) ==25793== by 0x9BE947: zend_hash_destroy (zend_hash.c:526) ==25793== by 0x9D8DC3: zend_object_std_dtor (zend_objects.c:45) ==25793== by 0x5C348B: mysqli_objects_free_storage (mysqli.c:212) ==25793== by 0x5C38DD: mysqli_result_free_storage (mysqli.c:288) ==25793== by 0x9DF006: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:215) ==25793== by 0x9DEB5C: zend_objects_store_del_ref (zend_objects_API.c:171) ==25793== by 0x9A910B: _zval_dtor_func (zend_variables.c:52) ==25793== by 0x99788B: _zval_dtor (zend_variables.h:35) ==25793== by 0x997CE6: _zval_ptr_dtor (zend_execute_API.c:428) ==25793== by 0x9E26A0: zend_leave_helper_SPEC (zend_vm_execute.h:157) ==25793== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==25793== ==25793== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==25793== Access not within mapped region at address 0x0 ==25793== at 0x997C36: _zval_ptr_dtor (zend_execute_API.c:422) ==25793== by 0x9A950A: _zval_ptr_dtor_wrapper (zend_variables.c:175) ==25793== by 0x9BE947: zend_hash_destroy (zend_hash.c:526) ==25793== by 0x9D8DC3: zend_object_std_dtor (zend_objects.c:45) ==25793== by 0x5C348B: mysqli_objects_free_storage (mysqli.c:212) ==25793== by 0x5C38DD: mysqli_result_free_storage (mysqli.c:288) ==25793== by 0x9DF006: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:215) ==25793== by 0x9DEB5C: zend_objects_store_del_ref (zend_objects_API.c:171) ==25793== by 0x9A910B: _zval_dtor_func (zend_variables.c:52) ==25793== by 0x99788B: _zval_dtor (zend_variables.h:35) ==25793== by 0x997CE6: _zval_ptr_dtor (zend_execute_API.c:428) ==25793== by 0x9E26A0: zend_leave_helper_SPEC (zend_vm_execute.h:157)