php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53280 PDO_Firebird segfaults query column count less than param count
Submitted: 2010-11-09 17:03 UTC Modified: 2011-12-28 20:03 UTC
From: popescu_dumitru at yahoo dot com Assigned: mariuz
Status: Closed Package: PDO related
PHP Version: 5.3.3 OS: Fedora 13
Private report: No CVE-ID:
 [2010-11-09 17:03 UTC] popescu_dumitru at yahoo dot com
Description:
------------
PDO_Firebird segfaults if query column count is less than param count

Test script:
---------------
<?php

/*
CREATE TABLE test(A VARCHAR(30), B VARCHAR(30), C VARCHAR(30));
INSERT INTO test VALUES ('A', 'B', 'C');

*/

        $dbh = new PDO("firebird:dbname=localhost:/tmp/test.gdb", "SYSDBA", "masterkey");

        $stmt1 = "SELECT B FROM test WHERE A = ? AND B = ?";
        $stmt2 = "SELECT B, C FROM test WHERE A = ? AND B = ?";

        $stmth2 = $dbh->prepare($stmt2);
        $stmth2->execute(array('A', 'B'));
        $rows = $stmth2->fetchAll(); // <------ OK
        var_dump($rows);

        $stmth1 = $dbh->prepare($stmt1);
        $stmth1->execute(array('A', 'B'));
        $rows = $stmth1->fetchAll(); // <------- segfault
        var_dump($rows);
?>



Expected result:
----------------
array(1) {
  [0]=>
  array(4) {
    ["B"]=>
    string(1) "B"
    [0]=>
    string(1) "B"
    ["C"]=>
    string(1) "C"
    [1]=>
    string(1) "C"
  }
}
array(1) {
  [0]=>
  array(2) {
    ["B"]=>
    string(1) "B"
    [0]=>
    string(1) "B"
  }
}


Actual result:
--------------
(gdb) bt
#0  0x008b8b76 in firebird_stmt_get_col (stmt=0x88e7b48, colno=1, ptr=0xbfffcee8, len=0xbfffcee4,
    caller_frees=0xbfffcee0) at /root/src/php-5.3.3/ext/pdo_firebird/firebird_statement.c:273
#1  0x008b9c64 in firebird_stmt_param_hook (stmt=0x88e7b48, param=0x88e872c,
    event_type=PDO_PARAM_EVT_FETCH_POST)
    at /root/src/php-5.3.3/ext/pdo_firebird/firebird_statement.c:556
#2  0x081d39d5 in dispatch_param_event (stmt=0x88e7b48, event_type=PDO_PARAM_EVT_FETCH_POST)
    at /root/src/php-5.3.3/ext/pdo/pdo_stmt.c:184
#3  0x081d554a in do_fetch_common (stmt=0x88e7b48, ori=PDO_FETCH_ORI_NEXT, offset=0, do_bind=1)
    at /root/src/php-5.3.3/ext/pdo/pdo_stmt.c:703
#4  0x081d5b5e in do_fetch (stmt=0x88e7b48, do_bind=1, return_value=0x88e8304, how=PDO_FETCH_BOTH,
    ori=PDO_FETCH_ORI_NEXT, offset=0, return_all=0x0) at /root/src/php-5.3.3/ext/pdo/pdo_stmt.c:861
#5  0x081d7972 in zim_PDOStatement_fetchAll (ht=0, return_value=0x88e83c4, return_value_ptr=0x0,
    this_ptr=0x88e798c, return_value_used=1) at /root/src/php-5.3.3/ext/pdo/pdo_stmt.c:1543
#6  0x08421390 in zend_do_fcall_common_helper_SPEC (execute_data=0x89161b0)
    at /root/src/php-5.3.3/Zend/zend_vm_execute.h:316
#7  0x0842194a in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x89161b0)
    at /root/src/php-5.3.3/Zend/zend_vm_execute.h:421
#8  0x08420a2d in execute (op_array=0x88e4d7c) at /root/src/php-5.3.3/Zend/zend_vm_execute.h:107
#9  0x083f4260 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /root/src/php-5.3.3/Zend/zend.c:1194
#10 0x0838c746 in php_execute_script (primary_file=0xbffff4dc) at /root/src/php-5.3.3/main/main.c:2260
#11 0x084b6eef in main (argc=2, argv=0xbffff654) at /root/src/php-5.3.3/sapi/cli/php_cli.c:1192


Patches

check_if_col_binding_in_fetch_post_event (last revision 2010-11-18 05:56 UTC) by popescu_dumitru at yahoo dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-12-10 22:43 UTC] mariuz@php.net
-Assigned To: +Assigned To: mariuz
 [2011-12-28 18:52 UTC] mariuz@php.net
Automatic comment from SVN on behalf of mariuz
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=321484
Log: Added test case for PDO_Firebird: bug 53280 segfaults if query column count is less than param count
 [2011-12-28 19:58 UTC] mariuz@php.net
Automatic comment from SVN on behalf of mariuz
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=321487
Log: Fixed  PDO_Firebird: bug 53280 segfaults if query column count is less than param count
 [2011-12-28 20:03 UTC] mariuz@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 00:01:21 2014 UTC