php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #56435 Segfaults when passing empty SimpleXMLElement as bind variable
Submitted: 2005-06-30 14:58 UTC Modified: 2005-10-23 09:30 UTC
From: murphy at renkoo dot net Assigned:
Status: No Feedback Package: PDO (PECL)
PHP Version: 5.0.4 OS: SuSE Linux Enterprise Server 9
Private report: No CVE-ID: None
 [2005-06-30 14:58 UTC] murphy at renkoo dot net
Description:
------------
PHP Version => 5.0.4
Configure Command =>  './configure' '--prefix=/usr/local/php5' '--with-mysql=/usr' '--with-mysqli=/usr/bin/mysql_config' '--with-mcrypt' '--with-curl' '--with-gd' '--with-zlib' '--enable-sockets' '--enable-snmp' '--with-apxs=/usr/local/apache/bin/apxs'
Server API => Command Line Interface

PDO and PDO_mysql dynamically loaded, built from PECL CVS head as of 6/30/05.

PHP segfaults when passing an empty SimpleXMLElement as a bound value to a PDOStatement. When the SimpleXMLElement isn't empty, PHP seems able to coerce it to a string successfully.

(This is probably not a good thing to be doing, and I've changed my real code to pass the names as strings, but this should  trigger an error rather than crash.)

Reproduce code:
---------------
http://www.renkoo.net/~murphy/crash.txt

Expected result:
----------------
City ID:1
City not found in db.

Actual result:
--------------
City ID:1
Segmentation fault (core dumped)

Reading symbols from /usr/local/php5/lib/php/extensions/no-debug-non-zts-20041030/pdo.so...done.
Loaded symbols for /usr/local/php5/lib/php/extensions/no-debug-non-zts-20041030/pdo.so
Reading symbols from /usr/local/php5/lib/php/extensions/no-debug-non-zts-20041030/pdo_mysql.so...done.
Loaded symbols for /usr/local/php5/lib/php/extensions/no-debug-non-zts-20041030/pdo_mysql.so
#0  0x081b6908 in _zend_hash_add_or_update (ht=0x832817c, arKey=0x83148f4 ":name", nKeyLength=5, pData=0xbfffa850, nDataSize=40, pDest=0xbfffa808, flag=1)
    at /home/murphy/php-5.0.4/Zend/zend_hash.c:215
215                     if ((p->h == h) && (p->nKeyLength == nKeyLength)) {
(gdb) bt
#0  0x081b6908 in _zend_hash_add_or_update (ht=0x832817c, arKey=0x83148f4 ":name", nKeyLength=5, pData=0xbfffa850, nDataSize=40, pDest=0xbfffa808, flag=1)
    at /home/murphy/php-5.0.4/Zend/zend_hash.c:215
#1  0x405dee71 in really_register_bound_param (param=0xbfffa850, stmt=0x832da94, is_param=Variable "is_param" is not available.
) at /home/murphy/pecl/pdo/pdo_stmt.c:290
#2  0x405e2080 in zif_PDOStatement_execute (ht=1, return_value=0x832d9a4, this_ptr=0x8329614, return_value_used=0) at /home/murphy/pecl/pdo/pdo_stmt.c:349
#3  0x081d6009 in zend_do_fcall_common_helper (execute_data=0xbfffab40, opline=0x8328738, op_array=0x8328c98) at /home/murphy/php-5.0.4/Zend/zend_execute.c:2727
#4  0x081de3eb in execute (op_array=0x8328c98) at /home/murphy/php-5.0.4/Zend/zend_execute.c:1406
#5  0x081d5b93 in zend_do_fcall_common_helper (execute_data=0xbfffae30, opline=0x832799c, op_array=0x8322d54) at /home/murphy/php-5.0.4/Zend/zend_execute.c:2756
#6  0x081d61b3 in zend_do_fcall_handler (execute_data=0xbfffae30, opline=0x832799c, op_array=0x8322d54) at /home/murphy/php-5.0.4/Zend/zend_execute.c:2859
#7  0x081de3eb in execute (op_array=0x8322d54) at /home/murphy/php-5.0.4/Zend/zend_execute.c:1406
#8  0x081aec1f in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/murphy/php-5.0.4/Zend/zend.c:1069
#9  0x0817c36e in php_execute_script (primary_file=0xbfffd280) at /home/murphy/php-5.0.4/main/main.c:1632
#10 0x081df664 in main (argc=2, argv=0xbfffd344) at /home/murphy/php-5.0.4/sapi/cli/php_cli.c:946


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-02 22:55 UTC] wez@php.net
I'm unable to reproduce this using the latest HEAD of PHP CVS.
The backtrace you have there seems like an unlikely place to crash too, which makes me suspect that something else might be the cause.

Could you try re-running your tests under valgrind to see if it shows anything bad?
valgrind --tool=memcheck php script.php

Otherwise, I'd suggest that you try out the next PHP 5.1 snapshot.  PDO doesn't build against 5.0.x right now, but will do so again after PHP 5.1 has been branched for release.
 [2005-10-23 09:30 UTC] mike@php.net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC