PHP :: Bug #57549 :: segfault in Instant Client

Bug #57549	segfault in Instant Client
Submitted:	2007-02-26 13:19 UTC	Modified:	2007-08-17 04:42 UTC
From:	ulf dot moeller at secardeo dot com	Assigned:
Status:	Closed	Package:	oci8 (PECL)
PHP Version:	4.4.4	OS:	Solaris 5.8
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-02-26 13:19 UTC] ulf dot moeller at secardeo dot com

Description:
------------
I am seeing segfaults in an Apache web server which I believe to be related to the OCI8 extension.

While a php script is being executed, the Instant Client repeatedly calls php_oci_lob_callback() which in turn uses _erealloc() to get additional memory. When the memory limit from php.ini (32M in this case) is exceeded, _erealloc() calls zend_error() from the macro CHECK_MEMORY_LIMIT in order to report a fatal error "Allowed memory size of 33554432 bytes exhausted".

Then _zend_bailout() is called and a longjmp to php_request_shutdown() is done. php_oci_lob_free() is called to free data.

At this point, in the PHP debug version the hash table consistency check fails and the webserver is shut down with ".../Zend/zend_hash.c(108) : Bailed out without a bailout address!" In the no-debug version, consistency is not checked and Instant Client crashes trying to free the data.

I do not know exactly where the table turns inconsistent.

Here is a backtrace:

(gdb) bt
#0  0xfd6af530 in kohfrr ()
   from xxx/instantclient_10_2/libclntsh.so.10.1
#1  0xfd6b00f8 in kohfrw ()
   from xxx/instantclient_10_2/libclntsh.so.10.1
#2  0xfd1c01e0 in kpufdesc ()
   from xxx/instantclient_10_2/libclntsh.so.10.1
#3  0xfe1c72f0 in php_oci_lob_free ()
   from xxx/modules/libphp4.so
#4  0xfe1bfb48 in php_oci_descriptor_list_dtor ()
   from xxx/modules/libphp4.so
#5  0xfe32fcd8 in list_entry_destructor ()
   from xxx/modules/libphp4.so
#6  0xfe32d1b0 in zend_hash_apply_deleter ()
   from xxx/modules/libphp4.so
#7  0xfe32d49c in zend_hash_graceful_reverse_destroy ()
   from xxx/modules/libphp4.so
#8  0xfe32ff24 in zend_destroy_rsrc_list ()
   from xxx/modules/libphp4.so
#9  0xfe313ce8 in shutdown_executor ()
   from xxx/modules/libphp4.so
#10 0xfe324598 in zend_deactivate ()
   from xxx/modules/libphp4.so
#11 0xfe2ca650 in php_request_shutdown ()
   from xxx/modules/libphp4.so
#12 0xfe348ad0 in php_apache_request_dtor ()
   from xxx/modules/libphp4.so
#13 0xfe3494b8 in php_handler ()
   from xxx/modules/libphp4.so
#14 0x0006d89c in ap_run_handler ()
#15 0x0006e5b8 in ap_invoke_handler ()
#16 0x00050f58 in ap_process_request ()
#17 0x000473e8 in ap_process_http_connection ()
#18 0x000823a8 in ap_run_process_connection ()
#19 0x000829e0 in ap_process_connection ()
#20 0x0006aa90 in child_main ()
#21 0x0006ac20 in make_child ()
#22 0x0006ae0c in startup_children ()
#23 0x0006b658 in ap_mpm_run ()
#24 0x00077b80 in main ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-02-26 13:24 UTC] tony2001 at phpclub dot net

Please provide short but complete reproduce code.

[2007-03-07 07:42 UTC] ulf dot moeller at secardeo dot com

Here is the script. The error occurs whenever a file read from the database is too large to fit within the memory limit. For example, we can reproduce the eror with a 1.5 meg file with memory_limit = 2M.

<?
	$REAL_PATH = "/xxx/htdocs/";
	$REAL_URL = "http://xxx.com";
}
include_once($REAL_PATH . "_phplib/_dblib.php");
$newstable = "NEWS"; // org: NEWS
$atttable = "ATTACHMENT"; // org: ATTACHMENT
$syntable = "NEWS_ATTACHMENT"; // org: NEWS_ATTACHMENT
$view = "ARTIKELS"; // org: ARTIKELS

$db = new oracleQuery($EEANEWS_USER,$EEANEWS_PASS,$PRODDB);

if($id != ""){
	$SQL = "SELECT typ from $atttable where id='$id'";
	$db->setStatement($SQL);
	$typus = $db->getResult();
	$typ = $typus["TYP"][0];

    header("Cache-Control: ");// leave blank to avoid IE errors
    header("Pragma: ");// leave blank to avoid IE errors
    //header(sprintf('Content-Type: %s', $file['FILETYPE']));
	
	switch($typ){
		case "PDF":
			header("Content-Type: application/pdf");
			$file_ext = 'document.pdf';
			break;
		case "DOC":
			header("Content-Type: application/msword");
			$file_ext = 'document.doc';
			break;
		case "XLS":
			header("Content-Type: application/msexcel");
			$file_ext = 'document.xls';
			break;
		case "PPT":
			header("Content-Type: application/vnd.ms-powerpoint");
			$file_ext = 'document.ppt';
			break;
		case "JPG":
			header("Content-Type: image/jpeg");
			$file_ext = 'bild.jpg';
			break;
		case "GIF":
			header("Content-Type: image/gif");
			$file_ext = 'bild.gif';
			break;
		case "BMP":
			header("Content-Type: image/bmp");
			$file_ext = 'bild.bmp';
			break;
		case "EXE":
			header("Content-Type: application/octet-stream");
			$file_ext = 'datei.exe';
			break;
		case "ZIP":
			header("Content-Type: application/zip");
			$file_ext = 'archiv.zip';
			break;
		default:
			header("Content-Type: application/octet-stream");
			break;
	}


    $SQL="SELECT data FROM $atttable WHERE id='$id'";
    $db->setStatement($SQL);
    $result=$db->getLob();

    header(sprintf('Content-Disposition: attachment; filename=%s',$file_ext));
    header("Content-length:".strlen($result));

    if($result){
        echo $result;
    } else {
        error();
    }
} else {
    error();
}
$db->disconnect();
function error(){
?>
<html>
<head>
<title>FEHLER</title>
</head>
<body bgcolor="#FFFFFF">
<center><b><font face="Arial">
Der Anhang wurde nicht gefunden.
</font></b></center>
</body>
</html>
<?
}
?>

[2007-03-07 07:47 UTC] tony2001 at phpclub dot net

$result=$db->getLob()?
I don't know such OCI8 method.

[2007-03-07 08:36 UTC] tony2001 at phpclub dot net

Please don't forget to specify version of Instant Client and version of OCI8.

With OIC 10.1.0.3 the only error I can see is "Warning: Unknown(): ORA-24909: call in progress. Current operation cancelled".
Oracle9 native client does segfault, but only with PHP4 (which you shouldn't be using anyway).

[2007-03-08 03:11 UTC] ulf dot moeller at secardeo dot com

Oracle Instant Client is version 10.2.0.2, used with PHP 4.

[2007-03-29 04:34 UTC] tony2001 at phpclub dot net

This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

[2007-08-16 19:10 UTC] wade dot ziegler at swgas dot com

It looks like this bug fix has not made it into the PHP 5.2.3 release.  I'm getting the same result so I have to downgrade back to PHP 4.

[2007-08-17 04:42 UTC] tony at daylessday dot org

>It looks like this bug fix has not made it into the PHP 5.2.3 release. 
Of course it did.

>I'm getting the same result so I have to downgrade back to PHP 4.
Wha? PHP4 surely doesn't have this fix, OCI8 in PHP4 is unsupported for years.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 10:01:29 2024 UTC