PHP :: Bug #51601 :: Segmentation fault when using the 2-argument form of mysql_fetch

Bug #51601

Segmentation fault when using the 2-argument form of mysql_fetch_array

Submitted:

2010-04-19 17:03 UTC

Modified:

2010-08-20 17:49 UTC

Votes:	6
Avg. Score:	4.7 ± 0.5
Reproduced:	5 of 5 (100.0%)
Same Version:	3 (60.0%)
Same OS:	2 (40.0%)

From:

pcarter at jhu dot edu

Assigned:

kalle (profile)

Status:

Closed

Package:

MySQL related

PHP Version:

5.3.2

OS:

FreeBSD 6.2-RELEASE

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2010-04-19 17:03 UTC] pcarter at jhu dot edu

Description:
------------
When using the two-argument form of mysql_fetch_array PHP experiences a segmentation fault in zend_fetch_resource, attempting to dereference a null pointer. (specifically *passed_id is ((* zval)(0x0)) when performing the IS_RESOURCE check).  This happens regardless of which of the three MYSQL_{BOTH|ASSOC|NUM} constants are used as the second argument (the given script uses MYSQL_BOTH).  This problem does not occur when using the single argument form of mysql_fetch_array, and it does not occur when using the mysql_fetch_assoc() or mysql_fetch_row() functions.

Test environment is FreeSBD 6.2-RELEASE on amd64, with the MySQL 5.0 client library installed.

Test script:
---------------
<?php
    /* Assumuing that these credentials are valid */
    $d = mysql_connect('localhost', 'user', '');
    mysql_select_db('test', $d);
    $r = mysql_query("SHOW TABLES", $d);
    $row = mysql_fetch_array($r, MYSQL_BOTH);
    print_r($row);
?>


Expected result:
----------------
The script should print an array (numerically and associatively indexed) of the tables in the database "test".

Actual result:
--------------
Segmentation fault as noted above.  Backtrace:

Backtrace:

#0  0x0000000000638ed3 in zend_fetch_resource (passed_id=0x7fffffffce30, default_id=-1, resource_type_name=0x72fa51 "MySQL result", found_resource_type=0x0, num_resource_types=1)
    at /usr/local/src/php-5.3.2/Zend/zend_list.c:127
#1  0x00000000004d76a6 in php_mysql_fetch_hash (ht=2, return_value=0x9240a0, return_value_ptr=0x638ddf, this_ptr=0x0, return_value_used=1, result_type=3, expected_args=2, into_object=0)
    at /usr/local/src/php-5.3.2/ext/mysql/php_mysql.c:1944
#2  0x00000000004d7c2b in zif_mysql_fetch_array (ht=-12752, return_value=0xffffffff, return_value_ptr=0x638ddf, this_ptr=0x0, return_value_used=1) at /usr/local/src/php-5.3.2/ext/mysql/php_mysql.c:2105
#3  0x000000000064e192 in zend_do_fcall_common_helper_SPEC (execute_data=0xb45040) at zend_vm_execute.h:313
#4  0x000000000064d5b9 in execute (op_array=0x9248c8) at zend_vm_execute.h:104
#5  0x000000000062b765 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php-5.3.2/Zend/zend.c:1194
#6  0x00000000005d955b in php_execute_script (primary_file=0x7fffffffeb00) at /usr/local/src/php-5.3.2/main/main.c:2260
#7  0x00000000006b2bca in main (argc=2, argv=0x7fffffffec00) at /usr/local/src/php-5.3.2/sapi/cli/php_cli.c:1192

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-04-19 17:04 UTC] pcarter at jhu dot edu

-Package: MSSQL related +Package: MySQL related

[2010-04-19 17:04 UTC] pcarter at jhu dot edu

I missed on the package dropdown when submitting the bug.  This belongs with the MySQL package, not the MSSQL package.

[2010-04-22 02:19 UTC] felipe@php.net

-Status: Open +Status: Feedback

[2010-04-22 02:19 UTC] felipe@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

[2010-04-22 03:14 UTC] pcarter at jhu dot edu

-Status: Feedback +Status: Open

[2010-04-22 03:14 UTC] pcarter at jhu dot edu

The problem persists with php5.3-201004220030.  The backtrace is identical save instruction addresses.

[2010-04-23 22:14 UTC] felipe@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: mysql

[2010-04-29 14:47 UTC] elmex at voll dot in

i have problems with mysql_fetch_array($resurce, MYSQL_ASSOC) returning no result set, if i replace it with mysql_fetch_assoc($resurce) it works fine

this happens since update to last 5.3 php with freebsd ports....

[2010-05-11 15:25 UTC] johannes@php.net

-Status: Assigned +Status: Feedback

[2010-05-11 15:25 UTC] johannes@php.net

Could you please provide the configure line. Please also try using plain PHP, not ports which applies random patches we don't control.

Please also make sure that you're loading the correct mysql.so in case you're building the mysql extension shared.

[2010-05-11 16:48 UTC] pcarter at jhu dot edu

-Status: Feedback +Status: Open

[2010-05-11 16:48 UTC] pcarter at jhu dot edu

My test was run initially with PHP compiled from source pulled from php.net, and as noted the problem persisted with php5.3-201004220030, and ldd claims I'm linking against the correct libmysqlclient.so

Configure line is:

'./configure' '--with-layout=GNU' '--with-config-file-scan-dir=/usr/local/etc/php' '--disable-all' '--enable-libxml' '--program-prefix=' '--enable-session' '--with-apxs2=/usr/local/sbin/apxs' '--with-regex=php' '--with-zend-vm=CALL' '--prefix=/usr/local' '--enable-dom' '--enable-json' '--enable-simplexml' '--enable-soap' '--with-openssl' '--with-pgsql' '--with-mysql' '--enable-tokenizer' '--enable-xml' '--with-gd' '--enable-gd-native-ttf' '--with-freetype-dir=/usr/local' '--enable-cli' '--enable-zip'

[2010-05-11 18:24 UTC] andrey@php.net

As a side note, can you try building PHP with the following option --with-mysql=mysqlnd and run the code again? I tried today your script on FreeBSD6 64bit and had no crash, however it was mysqlnd. mysqlnd shouldn't affect this but I want to be sure that this unknown is removed from the equation.
Thanks!

[2010-05-11 18:24 UTC] andrey@php.net

-Status: Assigned +Status: Feedback

[2010-05-11 18:36 UTC] pcarter at jhu dot edu

-Status: Feedback +Status: Open

[2010-05-11 18:36 UTC] pcarter at jhu dot edu

No change using --with-mysql=mysqlnd =/

[2010-05-11 18:50 UTC] pcarter at jhu dot edu

So having not tried any newer snapshots than php5.3-201004220030 I went ahead and grabbed php5.3-201005111430.  Using '--with-mysql=mysqlnd' the script executes as expected (no segfault), however, the segfault still occurs with '--with-mysql'.  If you'd like I can bisect my way through the snapshots until I find the point at which this became true, but if that's not going to be useful I'd just as soon not.  Let me know if I can provide additional information.

[2010-08-19 16:25 UTC] kalle@php.net

-Status: Open +Status: Assigned -Assigned To: mysql +Assigned To: kalle

[2010-08-19 16:25 UTC] kalle@php.net

Hi

Does it happen if you initialize zval *res to NULL? and does it happen with the latest 5.3.x release, 5.2.x and trunk versions of those?

[2010-08-19 20:52 UTC] kalle@php.net

+sorry i meant svn versions/snapshots, not trunk :)

[2010-08-20 12:23 UTC] andrey@php.net

-Status: Assigned +Status: Feedback

[2010-08-20 12:23 UTC] andrey@php.net

Does it still persist with latest snapshot?

[2010-08-20 16:46 UTC] pcarter at jhu dot edu

-Status: Feedback +Status: Assigned

[2010-08-20 16:46 UTC] pcarter at jhu dot edu

Tested with both php5.2-201008201230 and php5.3-201008201230 snapshots using both '--with-mysql' and '--with-mysql=mysqlnd'.  The test script executes as expected, no segfault.  It appears the problem is solved (at least in those branches).  Let me know if there are any other tests or snapshots you'd like me to run.

[2010-08-20 17:29 UTC] kalle@php.net

Also if you build against libmysql (--without-mysqlnd)?

But great news! :)

[2010-08-20 17:38 UTC] pcarter at jhu dot edu

Not quite sure what you mean as '--without-mysqlnd' isn't a recognized configure option.  (And to the best of my understanding '--with-mysql' links against libmysql in the absence of further specification). Just to be clear I tested both snapshots with both of the following configure lines (which is I think what you were asking):

'./configure' '--with-layout=GNU' '--with-config-file-scan-dir=/usr/local/etc/php' '--disable-all' '--enable-libxml' '--program-prefix=' '--enable-session' '--with-apxs2=/usr/local/sbin/apxs' '--with-regex=php' '--with-zend-vm=CALL' '--prefix=/usr/local' '--enable-dom' '--enable-json' '--enable-simplexml' '--enable-soap' '--with-openssl' '--with-pgsql' '--with-mysql' '--enable-tokenizer' '--enable-xml' '--with-gd' '--enable-gd-native-ttf' '--with-freetype-dir=/usr/local' '--enable-cli' '--enable-zip'


'./configure' '--with-layout=GNU' '--with-config-file-scan-dir=/usr/local/etc/php' '--disable-all' '--enable-libxml' '--program-prefix=' '--enable-session' '--with-apxs2=/usr/local/sbin/apxs' '--with-regex=php' '--with-zend-vm=CALL' '--prefix=/usr/local' '--enable-dom' '--enable-json' '--enable-simplexml' '--enable-soap' '--with-openssl' '--with-pgsql' '--with-mysql=mysqlnd' '--enable-tokenizer' '--enable-xml' '--with-gd' '--enable-gd-native-ttf' '--with-freetype-dir=/usr/local' '--enable-cli' '--enable-zip'

Let me know if I'm confused about something. =)

[2010-08-20 17:44 UTC] kalle@php.net

I'm sorry, but it on Windows (which is where i roam the most) mysqlnd is default enabled and we can disable it with --without-mysqlnd to build against libmysql. But yeah, what I mean is, if it works against libmysql with the specifications (server version, etc.) as  from when you reported it, then I think we're all good and can close this report :)

[2010-08-20 17:47 UTC] pcarter at jhu dot edu

OK, good to know I'm not to crazy.  I agree this bug can be closed. Thank you very much for your help! =)

[2010-08-20 17:49 UTC] kalle@php.net

-Status: Assigned +Status: Closed

[2010-08-20 17:49 UTC] kalle@php.net

No problem, good the issue is cleared :)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri May 17 04:01:34 2024 UTC