php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55653 PS crash with libmysql when binding same variable as param and out
Submitted: 2011-09-09 12:00 UTC Modified: 2011-09-10 04:44 UTC
From: uw@php.net Assigned: laruence
Status: Closed Package: MySQLi related
PHP Version: 5.4SVN-2011-09-09 (SVN) OS:
Private report: No CVE-ID:
 [2011-09-09 12:00 UTC] uw@php.net
Description:
------------
This will crash, if using mysqli with libmysql.

 sapi/cli/php -r '$link = new mysqli("192.168.2.27", "root", "", "test"); $stmt = $link->stmt_init(); $in = "a"; $stmt->prepare("SELECT ?"); $stmt->bind_param("s", $in); $stmt->execute(); $stmt->bind_result($in); $stmt->fetch(); var_dump($in);'

/home/nixnutz/php-src/branches/PHP_5_4/ext/mysqli/mysqli_api.c(890) : Block 0x071e5870 status:
Invalid pointer: ((size=0x005976c6) != (next.prev=0x00000000))
==12847== Conditional jump or move depends on uninitialised value(s)
==12847==    at 0x81C242: zend_mm_check_ptr (zend_alloc.c:1388)
==12847==    by 0x81C230: zend_mm_check_ptr (zend_alloc.c:1385)
==12847==    by 0x81DDA6: _zend_mm_free_int (zend_alloc.c:2064)
==12847==    by 0x81F350: _efree (zend_alloc.c:2436)
==12847==    by 0x5F412E: mysqli_stmt_fetch_libmysql (mysqli_api.c:890)


Box 1:

mysqli

MysqlI Support => enabled
Client API library version => 5.6.2-m5
Active Persistent Links => 0
Inactive Persistent Links => 0
Active Links => 0
Client API header version => 5.6.2-m5
MYSQLI_SOCKET => /tmp/mysql.sock


Box 2:

mysqli

MysqlI Support => enabled
Client API library version => 5.1.45
Active Persistent Links => 0
Inactive Persistent Links => 0
Active Links => 0
Client API header version => 5.1.45
MYSQLI_SOCKET => /tmp/mysql.sock





Test script:
---------------
 sapi/cli/php -r '$link = new mysqli("192.168.2.27", "root", "", "test"); $stmt = $link->stmt_init(); $in = "a"; $stmt->prepare("SELECT ?"); $stmt->bind_param("s", $in); $stmt->execute(); $stmt->bind_result($in); $stmt->fetch(); var_dump($in);'




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-09 12:11 UTC] uw@php.net
Automatic comment from SVN on behalf of uw
Revision: http://svn.php.net/viewvc/?view=revision&revision=316455
Log: Bug #55653
 [2011-09-09 12:12 UTC] uw@php.net
Test added
 [2011-09-10 03:51 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&revision=316474
Log: Fixed Bug #55653(PS crash with libmysql when binding same variable as param and out)
Actually this caused by attempt to efree a INTERNED string
 [2011-09-10 03:52 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2011-09-10 03:52 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2011-09-10 04:44 UTC] laruence@php.net
this also cause a segfault in ext/mysqli/tests/mysqli_stmt_execute_stored_proc.php
 [2012-04-18 09:49 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5e477ae1f899c6382f86f51ee309d7640ec598db
Log: Fixed Bug #55653(PS crash with libmysql when binding same variable as param and out) Actually this caused by attempt to efree a INTERNED string
 [2012-07-24 23:40 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5e477ae1f899c6382f86f51ee309d7640ec598db
Log: Fixed Bug #55653(PS crash with libmysql when binding same variable as param and out) Actually this caused by attempt to efree a INTERNED string
 [2013-11-17 09:36 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5e477ae1f899c6382f86f51ee309d7640ec598db
Log: Fixed Bug #55653(PS crash with libmysql when binding same variable as param and out) Actually this caused by attempt to efree a INTERNED string
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 17:01:58 2014 UTC