php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #54296 Crash in SQLite3Stmt internal object destructor
Submitted: 2011-03-17 15:48 UTC Modified: 2021-02-21 04:22 UTC
Votes:2
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: decoder-php at own-hero dot net Assigned: cmb (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 5.3.5 OS: Linux x86-64
Private report: No CVE-ID: None
View Developer Edit
 [2011-03-17 15:48 UTC] decoder-php at own-hero dot net 
Description:
------------
The attached code crashes on PHP5.3.5 (debug build).

Test script:
---------------
<?php
$db = new SQLite3(':memory:');
$db->exec('CREATE TABLE test (whatever INTEGER)');
$db->exec('INSERT INTO test (whatever) VALUES (1)');
$result = $db->query('SELECT * FROM test');
while ($row = $result->fetchArray(SQLITE3_NUM)) {
    var_dump($$result->columnName(0));
}
?>


Actual result:
--------------
==30655== Invalid read of size 8
==30655==    at 0x7C5DEA: zend_llist_del_element (zend_llist.c:97)
==30655==    by 0x49EF70: php_sqlite3_stmt_object_free_storage (sqlite3.c:1936)
==30655==    by 0x800A1C: zend_objects_store_free_object_storage (zend_objects_API.c:92)
==30655==    by 0x7C1326: shutdown_executor (zend_execute_API.c:302)
==30655==    by 0x7D2685: zend_deactivate (zend.c:890)
==30655==    by 0x75C7B5: php_request_shutdown (main.c:1633)
==30655==    by 0x8B7FEB: main (php_cli.c:1374)
==30655==  Address 0x5a5a5a5a5a5a5a5a is not stack'd, malloc'd or (recently) free'd
==30655== 
==30655== 
==30655== Process terminating with default action of signal 11 (SIGSEGV)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-23 02:03 UTC] felipe@php.net
-Summary: Crash in zend_llist_del_element +Summary: Crash in SQLite3Stmt internal object destructor
 [2011-03-23 02:03 UTC] felipe@php.net 
It seems a bit related to bug #53626.
 [2011-12-27 09:19 UTC] stas@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: scottmac
 [2012-06-03 18:32 UTC] felipe@php.net
-Type: Security +Type: Bug
 [2017-10-24 06:13 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: scottmac +Assigned To:
 [2021-01-09 20:40 UTC] sji at sj-i dot dev 
cannot reproduce this on 8.0.1-debug
 [2021-02-12 11:37 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-02-12 11:37 UTC] cmb@php.net 
Can anyone still reproduce this segfault with any of the actively
supported PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-02-21 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Dec 30 14:01:28 2024 UTC