php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48070 PDO_OCI: Segfault when using persistent connection
Submitted: 2009-04-24 14:09 UTC Modified: 2009-05-12 22:02 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:1 (33.3%)
From: jarismar dot php at gmail dot com Assigned: mbeccati
Status: Closed Package: PDO related
PHP Version: 5.2CVS-2009-04-24 (CVS) OS: *
Private report: No CVE-ID:
 [2009-04-24 14:09 UTC] jarismar dot php at gmail dot com
Description:
------------
When using persistent connections apache segfaults at end of the request.
The segfault only happens if some statment has got error.

Reproduced on Windows (XP) and Linux (debian 2.6.29-1-686).



Reproduce code:
---------------
$sDSN = 'oci:dbname=//webreport:1521/adplabs';
$sUserName = 'rpttest82';
$sPassword = 'rpttest82';

$oPDO = new PDO($sDSN, $sUserName, $sPassword, array(PDO::ATTR_PERSISTENT => true));
$oPDO->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
try {
  $oStatement = $oPDO->prepare('Select x from no_table');
  $oStatement->execute();
} catch (Exception $oException) {
  print $oException->getMessage()."\n";
}

Expected result:
----------------
SQLSTATE[HY000]: General error: 942 OCIStmtExecute: ORA-00942: table or view does not exist
 (/home/jaris/php-latest/ext/pdo_oci/oci_statement.c:147)

Actual result:
--------------
Windows :

Unhandled exception at 0x0088ad16 (php5ts.dll) in Apache.exe: 0xC0000005: Access violation reading location 0x002c5cc4.

Debian :
segmentation fault
ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'unknown')

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-04-24 14:11 UTC] jarismar dot php at gmail dot com
I think, this happens because error messages are being created with pestrdup and later destructed with efree.

I've changed the pdo_oci extension to use pefree when appropriate, it seems to solve the problem.

This is the patch against PHP_5_2 tip.

cvs diff - u >
Index: oci_driver.c
===================================================================
RCS file: /repository/php-src/ext/pdo_oci/oci_driver.c,v
retrieving revision 1.24.2.4.2.11
diff -u -u -p -r1.24.2.4.2.11 oci_driver.c
--- oci_driver.c	31 Dec 2008 11:17:42 -0000	1.24.2.4.2.11
+++ oci_driver.c	24 Apr 2009 10:47:29 -0000
@@ -70,16 +70,15 @@ ub4 _oci_error(OCIError *err, pdo_dbh_t 
 		S = (pdo_oci_stmt*)stmt->driver_data;
 		einfo = &S->einfo;
 		pdo_err = &stmt->error_code;
-		if (einfo->errmsg) {
-			efree(einfo->errmsg);
-		}
 	}
 	else {
 		einfo = &H->einfo;
-		if (einfo->errmsg) {
-			pefree(einfo->errmsg, dbh->is_persistent);
-		}
 	}
+	
+	if (einfo->errmsg) {
+		pefree(einfo->errmsg, dbh->is_persistent);
+	}
+
 
 	einfo->errmsg = NULL;
 	einfo->errcode = 0;
Index: oci_statement.c
===================================================================
RCS file: /repository/php-src/ext/pdo_oci/oci_statement.c,v
retrieving revision 1.16.2.10.2.9
diff -u -u -p -r1.16.2.10.2.9 oci_statement.c
--- oci_statement.c	31 Dec 2008 11:17:42 -0000	1.16.2.10.2.9
+++ oci_statement.c	24 Apr 2009 10:47:30 -0000
@@ -54,6 +54,7 @@ static php_stream *oci_create_lob_stream
 static int oci_stmt_dtor(pdo_stmt_t *stmt TSRMLS_DC) /* {{{ */
 {
 	pdo_oci_stmt *S = (pdo_oci_stmt*)stmt->driver_data;
+	pdo_dbh_t *dbh = stmt->dbh;
 	HashTable *BC = stmt->bound_columns;
 	HashTable *BP = stmt->bound_params;
 
@@ -87,7 +88,7 @@ static int oci_stmt_dtor(pdo_stmt_t *stm
 	}
 
 	if (S->einfo.errmsg) {
-		efree(S->einfo.errmsg);
+		pefree(S->einfo.errmsg, dbh->is_persistent);
 		S->einfo.errmsg = NULL;
 	}
 [2009-04-26 11:43 UTC] jarismar dot php at gmail dot com
This seems to fix these two bugs also,

Bug #42075  	pdo_oci crash (with persistent connection) when couldn't connect to db
Bug #44560  	Apache crashes with PDO_OCI and both persistent and non-persistent connections.
 [2009-04-27 14:25 UTC] johannes@php.net
Chris, please take a look, thanks.
 [2009-04-30 16:57 UTC] mbeccati@php.net
It took some time as I wasn't able to reproduce it using the cli sapi.

Looks like it's a duplicate of an existing bug that was fixed in 5.3+ but not backported to 5.2. 

The fix for #44301 matches the proposed patch for oci_statement.c, but leaves oci_driver.c potentially affected.

I will fix in HEAD and backport to PHP_5_3 and PHP_5_2 soon.

 [2009-05-12 22:02 UTC] mbeccati@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 01:01:56 2014 UTC