|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52843 Segfault when optional parameters are not passed in to mssql_connect
Submitted: 2010-09-14 22:56 UTC Modified: 2010-09-15 04:13 UTC
From: clint at ubuntu dot com Assigned: Felipe (profile)
Status: Closed Package: MSSQL related
PHP Version: 5.3.3 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
50 - 26 = ?
Subscribe to this entry?

 [2010-09-14 22:56 UTC] clint at ubuntu dot com
This was originally reported in Ubuntu:

Calling mssql_connect() without all of its string arguments will cause php to 

This happens on Ubuntu 10.10 beta, and Ubuntu 10.04. I also compiled php 5.3.3 
vanilla with ./configure --with-mssql=/usr, and the script below caused the 

The error is in this code around line 575 of ext/mssql/php_mssql.c:

        char *host = NULL, *user = NULL, *passwd = NULL;
        int host_len, user_len, passwd_len;
        zend_bool new_link = 0;
        char *hashed_details;
        int hashed_details_length;
        mssql_link mssql, *mssql_ptr;
        char buffer[40];

        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sssb", &host, 
&host_len, &user, &user_len, &passwd, &passwd_len, &new_link) == FAILURE) {

        /* Limit strings to 255 chars to prevent overflow issues in underlying 
libraries */
        if(host_len>255) {
                host[255] = '\0';
        if(user_len>255) {
                user[255] = '\0';
        if(passwd_len>255) {
                passwd[255] = '\0';

If the optional args are not passed in, the len and host parameters will be 
unchanged, and so a null pointer dereference may occur (depending on the 
arbitrary value of the _len variables).

Test script:
php -r 'mssql_connect();'

Expected result:
I would expect the program to exit without crashing.

Actual result:
ubuntu@domU-12-31-39-03-0D-C3:~/src/php5-5.3.3$ gdb php
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /usr/bin/php...Reading symbols from 
(gdb) run -r 'mssql_connect();'
Starting program: /usr/bin/php -r 'mssql_connect();'
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0xb75ac357 in php_mssql_do_connect (ht=0, return_value=0x88dadb4, 
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, persistent=0)
    at /home/ubuntu/src/php5-5.3.3/ext/mssql/php_mssql.c:587
587                     host[255] = '\0';
(gdb) bt
#0  0xb75ac357 in php_mssql_do_connect (ht=0, return_value=0x88dadb4, 
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, persistent=0)
    at /home/ubuntu/src/php5-5.3.3/ext/mssql/php_mssql.c:587
#1  0x083600fa in zend_do_fcall_common_helper_SPEC (execute_data=0x0) at 
#2  0x08336bbe in execute (op_array=0x88db2c0) at /home/ubuntu/src/php5-
#3  0x08300fc3 in zend_eval_stringl (str=0xbffff474 "mssql_connect();", 
str_len=16, retval_ptr=0x0, string_name=0x8749440 "Command line code")
    at /home/ubuntu/src/php5-5.3.3/Zend/zend_execute_API.c:1192
#4  0x08301162 in zend_eval_stringl_ex (str=0xbffff474 "mssql_connect();", 
str_len=16, retval_ptr=0x0, string_name=0x8749440 "Command line code", 
    handle_exceptions=1) at /home/ubuntu/src/php5-
#5  0x083011e3 in zend_eval_string_ex (str=0xbffff474 "mssql_connect();", 
retval_ptr=0x0, string_name=0x8749440 "Command line code", 
    handle_exceptions=1) at /home/ubuntu/src/php5-
#6  0x083a3689 in main (argc=3, argv=0xbffff324) at /home/ubuntu/src/php5-


mssql_fix_segfault (last revision 2010-09-14 20:57 UTC by clint at ubuntu dot com)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-09-15 04:12 UTC]
Automatic comment from SVN on behalf of felipe
Log: - Fixed bug #52843 (Segfault when optional parameters are not passed in to mssql_connect)
 [2010-09-15 04:13 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: Felipe
 [2010-09-15 04:13 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

I've committed a slighty modified patch into 5.3 branch and trunk.
Thanks for the patch!
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Aug 11 02:05:45 2022 UTC