php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #56642 invalid bindParam causes segfault
Submitted: 2005-11-12 15:27 UTC Modified: 2005-11-16 01:32 UTC
From: curt@php.net Assigned: wez (profile)
Status: Closed Package: PDO (PECL)
PHP Version: 5_1 CVS-2005-11-12 (dev) OS: *
Private report: No CVE-ID: None
 [2005-11-12 15:27 UTC] curt@php.net
Description:
------------
When binding a parameter that doesn't exist, pdo_stmt still keeps the param in the hash table of params, even though the driver said it was invalid.

Reproduce code:
---------------
example (same as below):
http://zirzow.dyndns.org/patches/pdo_stmt.c.bindParam.phps

patch:
http://zirzow.dyndns.org/patches/pdo_stmt.c.bindParam.patch

<?php

try {
    $dbh = new PDO('mysql:host=localhost;dbname=test', '', '');
    $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $dbh->exec('create table foo ( bar char(3) NULL )');

    $sql = "select bar from foo where bar = ':p'";
    $stmt = $dbh->prepare($sql);

    $p = 'foo';
    $stmt->bindParam(':p', $p) or print_r($stmt->errorInfo());
    $stmt->execute();
    $stmt = null;
}
catch (PDOException $e) {
    echo $e, "\n";
}

if($dbh) $dbh->exec('drop table IF EXISTS foo');


Expected result:
----------------
Array
(
    [0] => HY093
)
no segfault

Actual result:
--------------
Starting program: /usr/home/curt/cvs/php/php51/sapi/cli/php match.php
Array
(
    [0] => HY093
)

Program received signal SIGSEGV, Segmentation fault.
pdo_mysql_stmt_param_hook (stmt=0x855bc0c, param=0x855d34c, event_type=PDO_PARAM_EVT_ALLOC)
    at /usr/home/curt/cvs/php/php51/ext/pdo_mysql/mysql_statement.c:314
314                                     *b->is_null = 0;

(gdb) bt
#0  pdo_mysql_stmt_param_hook (stmt=0x855bc0c, param=0x855d34c, event_type=PDO_PARAM_EVT_ALLOC)
    at /usr/home/curt/cvs/php/php51/ext/pdo_mysql/mysql_statement.c:314
#1  0x080dc76c in dispatch_param_event (stmt=0x855bc0c, event_type=PDO_PARAM_EVT_EXEC_PRE)
    at /usr/home/curt/cvs/php/php51/ext/pdo/pdo_stmt.c:149
#2  0x080dce9c in zif_PDOStatement_execute (ht=0, return_value=0x856afac, return_value_ptr=0x0, 
    this_ptr=0x856ae4c, return_value_used=0) at /usr/home/curt/cvs/php/php51/ext/pdo/pdo_stmt.c:410
#3  0x0821c565 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfbfcf70)
    at zend_vm_execute.h:188
#4  0x0821bf95 in execute (op_array=0x855b90c) at zend_vm_execute.h:88
#5  0x081fbb76 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/home/curt/cvs/php/php51/Zend/zend.c:1087
#6  0x081c87ec in php_execute_script (primary_file=0xbfbfe754)
    at /usr/home/curt/cvs/php/php51/main/main.c:1677
#7  0x0827d9f4 in main (argc=2, argv=0xbfbfe7e4)
    at /usr/home/curt/cvs/php/php51/sapi/cli/php_cli.c:1041

(gdb) print b
$1 = (MYSQL_BIND *) 0x0

(gdb) print param
$2 = (struct pdo_bound_param_data *) 0x855d34c

(gdb) print *param
$3 = {paramno = -1, name = 0x856af2c ":k", namelen = 2, max_value_len = 0, parameter = 0x856aeac, 
  param_type = PDO_PARAM_STR, driver_params = 0x0, driver_data = 0x0, stmt = 0x855bc0c, 
  is_param = 1}



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-16 01:32 UTC] wez@php.net
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

Fixed with a slightly modified version of your patch; thanks :)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 13:01:31 2024 UTC