php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54296 Crash in SQLite3Stmt internal object destructor
Submitted: 2011-03-17 15:48 UTC Modified: 2021-02-21 04:22 UTC
Votes:2
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: decoder-php at own-hero dot net Assigned: cmb (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 5.3.5 OS: Linux x86-64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
17 + 21 = ?
Subscribe to this entry?

 
 [2011-03-17 15:48 UTC] decoder-php at own-hero dot net
Description:
------------
The attached code crashes on PHP5.3.5 (debug build).

Test script:
---------------
<?php
$db = new SQLite3(':memory:');
$db->exec('CREATE TABLE test (whatever INTEGER)');
$db->exec('INSERT INTO test (whatever) VALUES (1)');
$result = $db->query('SELECT * FROM test');
while ($row = $result->fetchArray(SQLITE3_NUM)) {
    var_dump($$result->columnName(0));
}
?>


Actual result:
--------------
==30655== Invalid read of size 8
==30655==    at 0x7C5DEA: zend_llist_del_element (zend_llist.c:97)
==30655==    by 0x49EF70: php_sqlite3_stmt_object_free_storage (sqlite3.c:1936)
==30655==    by 0x800A1C: zend_objects_store_free_object_storage (zend_objects_API.c:92)
==30655==    by 0x7C1326: shutdown_executor (zend_execute_API.c:302)
==30655==    by 0x7D2685: zend_deactivate (zend.c:890)
==30655==    by 0x75C7B5: php_request_shutdown (main.c:1633)
==30655==    by 0x8B7FEB: main (php_cli.c:1374)
==30655==  Address 0x5a5a5a5a5a5a5a5a is not stack'd, malloc'd or (recently) free'd
==30655== 
==30655== 
==30655== Process terminating with default action of signal 11 (SIGSEGV)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-23 02:03 UTC] felipe@php.net
-Summary: Crash in zend_llist_del_element +Summary: Crash in SQLite3Stmt internal object destructor
 [2011-03-23 02:03 UTC] felipe@php.net
It seems a bit related to bug #53626.
 [2011-12-27 09:19 UTC] stas@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: scottmac
 [2012-06-03 18:32 UTC] felipe@php.net
-Type: Security +Type: Bug
 [2017-10-24 06:13 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: scottmac +Assigned To:
 [2021-01-09 20:40 UTC] sji at sj-i dot dev
cannot reproduce this on 8.0.1-debug
 [2021-02-12 11:37 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-02-12 11:37 UTC] cmb@php.net
Can anyone still reproduce this segfault with any of the actively
supported PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-02-21 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu May 26 01:03:41 2022 UTC