php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46808 Mysqli crashes on LONGTEXT columns
Submitted: 2008-12-09 07:31 UTC Modified: 2009-04-28 10:47 UTC
Votes:7
Avg. Score:4.6 ± 0.7
Reproduced:6 of 6 (100.0%)
Same Version:2 (33.3%)
Same OS:3 (50.0%)
From: wcshields at gmail dot com Assigned:
Status: Not a bug Package: MySQLi related
PHP Version: 5.2.8 OS: Ubuntu 8.04 LTS x86 32 bit
Private report: No CVE-ID:
 [2008-12-09 07:31 UTC] wcshields at gmail dot com
Description:
------------
Mysqli restores garbage from longtext columns in mysql 5.0.51a connected over TCP (also happens with Unix domain sockets) and, after a random number of rows, seg faults.  The number of rows is unpredictable but consistent.  If you find something that crashes after 11 rows, it will crash after 11 rows every time.  Change the order by clause and it might crash every time after 3 rows.

As per bugs #44867 and several others I've found, people have been reporting this issue since as early as 2005 and it still hasn't been addressed.  Can someone PLEASE actually look into it?

Reproduce code:
---------------
<?
$conn = new mysqli('localhost', 'user', 'password', 'db');
$stmt = $conn->prepare("SELECT name, longtext1 FROM sampletable");
$stmt->execute();
$stmt->bind_result($name, $value);
$count = 1;
while ($stmt->fetch()) {
    $size = sizeof($value);
    echo "$name $size\n";
    $count++;
}
$stmt->close();
?>

Expected result:
----------------
To retrieve the exact contents of all longtext values without crashing.

Actual result:
--------------
Segmentation fault.
$ gdb php core
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/tls/i686/cmov/libcrypt.so.1...done.
Loaded symbols for /lib/tls/i686/cmov/libcrypt.so.1
Reading symbols from /lib/tls/i686/cmov/librt.so.1...done.
Loaded symbols for /lib/tls/i686/cmov/librt.so.1
Reading symbols from /lib/tls/i686/cmov/libresolv.so.2...done.
Loaded symbols for /lib/tls/i686/cmov/libresolv.so.2
Reading symbols from /lib/tls/i686/cmov/libdl.so.2...done.
Loaded symbols for /lib/tls/i686/cmov/libdl.so.2
Reading symbols from /usr/lib/libmysqlclient.so.15...done.
Loaded symbols for /usr/lib/libmysqlclient.so.15
Reading symbols from /lib/tls/i686/cmov/libpthread.so.0...done.
Loaded symbols for /lib/tls/i686/cmov/libpthread.so.0
Reading symbols from /lib/tls/i686/cmov/libnsl.so.1...done.
Loaded symbols for /lib/tls/i686/cmov/libnsl.so.1
Reading symbols from /lib/tls/i686/cmov/libm.so.6...done.
Loaded symbols for /lib/tls/i686/cmov/libm.so.6
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libxml2.so.2...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /lib/tls/i686/cmov/libc.so.6...done.
Loaded symbols for /lib/tls/i686/cmov/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/tls/i686/cmov/libnss_files.so.2...done.
Loaded symbols for /lib/tls/i686/cmov/libnss_files.so.2
Core was generated by `./php'.
Program terminated with signal 11, Segmentation fault.
[New process 5006]
#0  0x08130eda in zif_mysqli_stmt_fetch (ht=0, return_value=0x856e20c,
    return_value_ptr=0x0, this_ptr=0x856e0b8, return_value_used=1)
    at /home/wshields/php-5.2.8/ext/mysqli/mysqli_api.c:665
665                             if (Z_TYPE_P(stmt->result.vars[i]) == IS_STRING) {
(gdb) bt
#0  0x08130eda in zif_mysqli_stmt_fetch (ht=0, return_value=0x856e20c,
    return_value_ptr=0x0, this_ptr=0x856e0b8, return_value_used=1)
    at /home/wshields/php-5.2.8/ext/mysqli/mysqli_api.c:665
#1  0x083515e5 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfb073e4)
    at /home/wshields/php-5.2.8/Zend/zend_vm_execute.h:200
#2  0x08352239 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfb073e4)
    at /home/wshields/php-5.2.8/Zend/zend_vm_execute.h:322
#3  0x08351138 in execute (op_array=0x856d144)
    at /home/wshields/php-5.2.8/Zend/zend_vm_execute.h:92
#4  0x0832c76c in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/wshields/php-5.2.8/Zend/zend.c:1134
#5  0x082d91d9 in php_execute_script (primary_file=0xbfb0972c)
    at /home/wshields/php-5.2.8/main/main.c:2023
#6  0x083a8de5 in main (argc=1, argv=0xbfb09884)
    at /home/wshields/php-5.2.8/sapi/cli/php_cli.c:1133


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-11 11:18 UTC] webmaster at ajeux dot com
Bug confirmed here on PHP 5.3 with Mysql 5.0.51
SELECT query : 

"SELECT id, UNCOMPRESS(myfield) FROM mytable ORDER BY id LIMIT 8"
myfield is BLOB.

How can we help to get it fixed ?

"Program received signal SIGSEGV, Segmentation fault."

Backtrace:
#0  0xb7aedb00 in mysqli_stmt_fetch_libmysql (ht=0, return_value=0xb71cbe4c, return_value_ptr=0x0, this_ptr=0xb7265748, return_value_used=1)
    at /usr/src/php5.3-200812091530/ext/mysqli/mysqli_api.c:842
#1  0xb7aedf0d in zif_mysqli_stmt_fetch (ht=0, return_value=0xb71cbe4c, return_value_ptr=0x0, this_ptr=0xb7265748, return_value_used=1)
    at /usr/src/php5.3-200812091530/ext/mysqli/mysqli_api.c:984
#2  0x0827a4b9 in zend_do_fcall_common_helper_SPEC (execute_data=0xb776af88) at /usr/src/php5.3-200812091530/Zend/zend_vm_execute.h:313
#3  0x08279a32 in execute (op_array=0xb738bd94) at /usr/src/php5.3-200812091530/Zend/zend_vm_execute.h:104
#4  0x08253c17 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php5.3-200812091530/Zend/zend.c:1197
#5  0x081faf59 in php_execute_script (primary_file=0xbfb12090) at /usr/src/php5.3-200812091530/main/main.c:2080
#6  0x082ec5a9 in main (argc=1, argv=0xbfb121e4) at /usr/src/php5.3-200812091530/sapi/cgi/cgi_main.c:2000
 [2008-12-11 16:09 UTC] webmaster at ajeux dot com
Note: No bug when mysqlnd is used. (configure with --with-mysqli=mysqlnd)
 [2009-01-11 00:10 UTC] wcshields at gmail dot com
Isn't the mysqlnd option for PHP 5.3+?  If so, that's hardly a solution since 5.3 isn't out yet.
 [2009-04-19 14:13 UTC] jani@php.net
Finally could reproduce this, see bug #47928 (I'm closing this report as 
the other has short and easy reproduce script now.. :)

 [2009-04-28 09:58 UTC] wcshields at gmail dot com
I sure wish I could figure out why someone marked this bug as "Bogus" rather than, you know, investigating it. Lo and behold it FINALLY is verified. Sorry but the treatment this issue has got (going on for 2+ years through various bugs) is nothing short of ludicrous.
 [2009-04-28 10:47 UTC] pajoye@php.net
The reason has been told: duplicated from #47928 
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 01:01:56 2014 UTC