php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54296 Crash in SQLite3Stmt internal object destructor
Submitted: 2011-03-17 15:48 UTC Modified: 2021-02-21 04:22 UTC
Votes:2
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: decoder-php at own-hero dot net Assigned: cmb (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 5.3.5 OS: Linux x86-64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: decoder-php at own-hero dot net
New email:
PHP Version: OS:

 

 [2011-03-17 15:48 UTC] decoder-php at own-hero dot net
Description:
------------
The attached code crashes on PHP5.3.5 (debug build).

Test script:
---------------
<?php
$db = new SQLite3(':memory:');
$db->exec('CREATE TABLE test (whatever INTEGER)');
$db->exec('INSERT INTO test (whatever) VALUES (1)');
$result = $db->query('SELECT * FROM test');
while ($row = $result->fetchArray(SQLITE3_NUM)) {
    var_dump($$result->columnName(0));
}
?>


Actual result:
--------------
==30655== Invalid read of size 8
==30655==    at 0x7C5DEA: zend_llist_del_element (zend_llist.c:97)
==30655==    by 0x49EF70: php_sqlite3_stmt_object_free_storage (sqlite3.c:1936)
==30655==    by 0x800A1C: zend_objects_store_free_object_storage (zend_objects_API.c:92)
==30655==    by 0x7C1326: shutdown_executor (zend_execute_API.c:302)
==30655==    by 0x7D2685: zend_deactivate (zend.c:890)
==30655==    by 0x75C7B5: php_request_shutdown (main.c:1633)
==30655==    by 0x8B7FEB: main (php_cli.c:1374)
==30655==  Address 0x5a5a5a5a5a5a5a5a is not stack'd, malloc'd or (recently) free'd
==30655== 
==30655== 
==30655== Process terminating with default action of signal 11 (SIGSEGV)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-23 02:03 UTC] felipe@php.net
-Summary: Crash in zend_llist_del_element +Summary: Crash in SQLite3Stmt internal object destructor
 [2011-03-23 02:03 UTC] felipe@php.net
It seems a bit related to bug #53626.
 [2011-12-27 09:19 UTC] stas@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: scottmac
 [2012-06-03 18:32 UTC] felipe@php.net
-Type: Security +Type: Bug
 [2017-10-24 06:13 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: scottmac +Assigned To:
 [2021-01-09 20:40 UTC] sji at sj-i dot dev
cannot reproduce this on 8.0.1-debug
 [2021-02-12 11:37 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-02-12 11:37 UTC] cmb@php.net
Can anyone still reproduce this segfault with any of the actively
supported PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-02-21 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Tue Jan 25 12:03:34 2022 UTC