php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51624 Crash when calling mysqli_options()
Submitted: 2010-04-21 14:10 UTC Modified: 2010-04-26 01:25 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: zulcss at ubuntu dot com Assigned: felipe
Status: Closed Package: Reproducible crash
PHP Version: 5.3.2 OS: Ubuntu/Linux
Private report: No CVE-ID:
 [2010-04-21 14:10 UTC] zulcss at ubuntu dot com
Description:
------------
Hi,

This bug was recently reported on launchpad at http://bugs.launchpad.net/bugs/567043. I have included the gdb backtrace with this bug report.

Regards
chuck

Expected result:
----------------
Not to crash.

Actual result:
--------------
#0  0x00007fe478493d02 in memcpy () from /lib/libc.so.6
No symbol table info available.
#1  0x0000000000677ff8 in _estrndup (s=0x4d00000050 <Address 0x4d00000050 out of bounds>, length=90) at /usr/include/bits/string3.h:52
No locals.
#2  0x000000000069459b in _zval_copy_ctor_func (zvalue=0x1f84ca8) at /build/buildd/php5-5.3.2/Zend/zend_variables.c:126
        tmp = 0x1ecb470
        original_ht = 0x1ecb470
#3  0x00007fe4752b0f68 in zif_mysqli_options (ht=33049848, return_value=0x1f84c58, return_value_ptr=0x5a, this_ptr=0x4d00000050, return_value_used=17) at /build/buildd/php5-5.3.2/Zend/zend_variables.h:45
        mysql_link = 0x1f84ca8
        mysql_value = 0x5
        mysql_option = 33049648
        l_value = 0
        expected_type = 33049848
#4  0x00000000006e598a in zend_do_fcall_common_helper_SPEC (execute_data=0x142a390) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:313
        opline = 0x15c7698
        should_change_scope = 0 '\000'
#5  0x00000000006bcc70 in execute (op_array=0x11d7080) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:104
        ret = 33049848
        execute_data = 0x142a390
        nested = 0 '\000'
        original_in_execution = 1 '\001'
#6  0x000000000068ab94 in zend_call_function (fci=0x7fff6ab02fd0, fci_cache=0x141f840) at /build/buildd/php5-5.3.2/Zend/zend_execute_API.c:947
        i = 17
        original_return_value = 0x141f6f0
        calling_symbol_table = 0x1938398
        original_op_array = 0x19cf630
        original_opline_ptr = <incomplete type>
        current_scope = 0x1db96c0
        current_called_scope = 0x1938398
        calling_scope = 0x0
        called_scope = 0x141f6f0
        current_this = 0x0
        execute_data = {opline = 0x0, function_state = {function = 0x0, arguments = 0x1949408}, fbc = 0x141fe68, called_scope = 0x0, op_array = 0x0, object = 0x0, Ts = 0x1956490, CVs = 0x141f938, symbol_table = 0x141f8d8, 
          prev_execute_data = 0x0, old_error_reporting = 0x141f840, nested = 0 '\000', original_return_value = 0x1, current_scope = 0x141e228, current_called_scope = 0x1938398, current_this = 0x1938398, current_object = 0x1db92d0, 
          call_opline = 0x0}
#7  0x00000000005cd107 in zif_call_user_func_array (ht=33049848, return_value=0x1db8eb8, return_value_ptr=0x5a, this_ptr=0x1, return_value_used=17) at /build/buildd/php5-5.3.2/ext/standard/basic_functions.c:4782
        params = 0x0
        retval_ptr = 0x141f840
        fci = {size = 6082823, function_table = 0x48, function_name = 0x1927c28, symbol_table = 0x1a58120, retval_ptr_ptr = 0x0, param_count = 1789931600, params = 0x3, object_ptr = 0x1da2868, no_separation = 144 '\220'}
        fci_cache = {initialized = 176 '\260', function_handler = 0x1, calling_scope = 0x1949408, called_scope = 0x1927bf8, object_ptr = 0x1927bf8}
#8  0x00000000006e598a in zend_do_fcall_common_helper_SPEC (execute_data=0x141f840) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:313
        opline = 0x19d4418
        should_change_scope = 0 '\000'
#9  0x00000000006bcc70 in execute (op_array=0x19cf630) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:104
        ret = 33049848
        execute_data = 0x141f840
        nested = 0 '\000'
        original_in_execution = 0 '\000'
#10 0x000000000069499d in zend_execute_scripts (type=0, retval=0x7fff6ab03210, file_count=3) at /build/buildd/php5-5.3.2/Zend/zend.c:1266
        files = 0x7fff6ab031e8
        i = 1
        file_handle = 0x7fff6ab05810
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0xd8fd30
#11 0x0000000000640608 in php_execute_script (primary_file=0x1888) at /build/buildd/php5-5.3.2/main/main.c:2288
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, 0, 0, 0, 2, 0, 6040, 0}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 1, 0, 27843312, 0, 12, 0, 11235408, 0, 1789928576, 32767, 24063528, 0, 0, 0}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {type = 1789930876, filename = 0x7fff6ab027b0 "\367\002\033\003\060", opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 1789928092, mmap = {len = 1789928096, pos = 1789928624, 
                map = 0x7fff6ab02270, buf = 0x7fff6ab02294 "\004", old_handle = 0x0, old_closer = 0x7fff6ab02298}, reader = 0x7fff6ab022b1, fsizer = 0xffffffffffffffff, closer = 0}}, free_filename = 0 '\000'}
        append_file = {type = 32270416, filename = 0x81 <Address 0x81 out of bounds>, opened_path = 0x0, handle = {fd = 11259128, fp = 0xabccf8, stream = {handle = 0xabccf8, isatty = 1789928704, mmap = {len = 77, pos = 0, map = 0x4e, 
                buf = 0x20 <Address 0x20 out of bounds>, old_handle = 0x645b9f, old_closer = 0x7fff6ab02218}, reader = 0x7fff6ab02231, fsizer = 0x7fe47558bc00, closer = 0}}, free_filename = 58 ':'}
        retval = 0
#12 0x0000000000722534 in main (argc=32767, argv=0x0) at /build/buildd/php5-5.3.2/sapi/cgi/cgi_main.c:2110
        __bailout = {{__jmpbuf = {0, 0, 0, 0, 3519450402, 4092175345, 14222272, 0}, __mask_was_saved = -175993566, __saved_mask = {__val = {0 <repeats 16 times>}}}}
        free_query_string = 16777216
        exit_status = 0
        cgi = 0
        c = 33049848
        i = 14218272
        len = 14218272
        file_handle = {type = 2005125391, filename = 0x4 <Address 0x4 out of bounds>, opened_path = 0x13d64e8 "/var/www/www.tetramid.net/html/audrey/main.php", handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 20886816, 
              mmap = {len = 0, pos = 22978, map = 0x0, buf = 0x7fe47ad09000 <Address 0x7fe47ad09000 out of bounds>, old_handle = 0x7fe47ad09000, old_closer = 0x17c5f70}, reader = 0x6aa4c0 <zend_stream_stdio_closer>, 
              fsizer = 0x6aab00 <zend_stream_stdio_reader>, closer = 0x6aa580 <zend_stream_stdio_fsizer>}}, free_filename = 128 '\200'}
        s = 0x13d5248 "/var/www/www.tetramid.net/html/audrey/main.php"
        behavior = 0
        no_headers = 0
        orig_optind = 0
        orig_optarg = 0x0
        script_file = 0x100000000 <Address 0x100000000 out of bounds>
        max_requests = 1
        requests = 0
        fastcgi = 1
        bindpath = 0x100000001 <Address 0x100000001 out of bounds>
        fcgi_fd = 14218272
        request = {listen_socket = 0, fd = 0, id = 0, keep = 3, closed = 1, in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0x0, 
          out_buf = "\360X\260j\377\177\000\000\001\006\000\001\005\n\006\000X-Powered-By: PHP/5.3.2-1ubuntu4\r\nCache-Control: no-cache\r\nPragma: no-cache\r\nContent-type: text/javascript; charset=UTF-8\r\nLast-Modified: Tue, 20 Apr 2010 04:31:55 GMT\r\nExpires: Thu, 20 M"..., reserved = "drey/vid\000\000\000\000\000\000\000", env = 0x0}
        repeats = 0
        benchmark = 0
        start = {tv_sec = 0, tv_usec = 0}
        end = {tv_sec = 0, tv_usec = 0}
        status = 0


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-04-21 16:52 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2010-04-21 16:52 UTC] felipe@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2010-04-22 21:08 UTC] Fedora at famillecollet dot com
I just try gallery2 with 201004221630 snapshot (5.3.3-dev).

No crash encountered.

Just need to found the fix in subversion.
 [2010-04-26 00:51 UTC] magicaltux@php.net
A wild guess based on the comment date: SVN revision 298253

The patch:
http://ookoo.org/svn/snip/php-5.3.2-mysql-badmem-fix.patch

I have applied the patch on my install and asked customers experiencing problems 
to try again. They report that the problem is fixed. I guess this bug report can 
now be closed.
 [2010-04-26 01:24 UTC] felipe@php.net
-Summary: Gallery2 causing segfault when trying to update. +Summary: Crash when calling mysqli_options()
 [2010-04-26 01:25 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=298563
Log: - BFN #51624
 [2010-04-26 01:25 UTC] felipe@php.net
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: felipe
 [2010-04-26 01:25 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thanks for testing!
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 07:02:02 2014 UTC