php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58632 db2_execute() segfault on an empty string as a bind parameter
Submitted: 2009-04-15 05:51 UTC Modified: 2009-12-24 03:19 UTC
From: t-yonetani at ergobrains dot co dot jp Assigned:
Status: Closed Package: ibm_db2 (PECL)
PHP Version: 4.4.9 OS: CentOS 4.6
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: t-yonetani at ergobrains dot co dot jp
New email:
PHP Version: OS:

 

 [2009-04-15 05:51 UTC] t-yonetani at ergobrains dot co dot jp
Description:
------------
In !defined(PASE) case, _php_db2_bind_data() won't allocate memory area dynamically for a 0-length string, but db2_execute() attempts to efree() it unconditionally in the cleanup code, so it ends up in a SIGSEGV somewhere in efree().

Reproduce code:
---------------
$db = db2_connect($database, $username, $password);
$st = db2_prepare("VALUES CAST(? AS CHAR(10))");
db2_execute($st, array(""));

Expected result:
----------------
successfully terminate

Actual result:
--------------
PHP catches SIGSEGV

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-04-15 05:57 UTC] t-yonetani at ergobrains dot co dot jp
Sorry, the second line in `Reproduce code' should've been

$st = db2_prepare($db, "VALUES CAST(? AS CHAR(10))");

to successfully terminate.
 [2009-04-20 07:30 UTC] abhargav at in dot ibm dot com
Hi,

Can you tell me what is the version of IBM_DB2 you are using?

Regards,
Ambrish Bhargava
 [2009-04-20 21:43 UTC] t-yonetani at ergobrains dot co dot jp
Hi,
db2level command says:
DB21085I  Instance "db2inst1" uses "32" bits and DB2 code release "SQL08029"
with level identifier "030A0106".
Informational tokens are "DB2 v8.1.2.152", "s080813", "MI00248", and FixPak
"17".
Product is installed at "/opt/IBM/db2/V8.1".
 [2009-04-20 21:48 UTC] t-yonetani at ergobrains dot co dot jp
It seems like I misunderstood your question; I'm using ibm_db2-1.8.2.  Please let me know if there's any newer version to try.

Regards,
YONETANI Tomokazu
 [2009-04-21 04:58 UTC] abhargav at in dot ibm dot com
Hi,

Please apply following patch and see if it helps:

3967c3967,3969
< 				efree((prev_ptr->value)->value.str.val);
---
> 				if((prev_ptr->value)->value.str.val != NULL && (prev_ptr->value)->value.str.len != 0) {
> 					efree((prev_ptr->value)->value.str.val);
> 				}
3970,3971c3972,3975
< 			if( prev_ptr->param_type != DB2_PARAM_OUT && prev_ptr->param_type != DB2_PARAM_INOUT ){
< 				efree(prev_ptr->value);
---
> 			if( prev_ptr->param_type != DB2_PARAM_OUT && prev_ptr->param_type != DB2_PARAM_INOUT ) {
> 				if(prev_ptr->value != NULL) {
> 					efree(prev_ptr->value);
> 				}


Regards,
Ambrish Bhargava
 [2009-04-21 20:09 UTC] t-yonetani at ergobrains dot co dot jp
Apparently the patch fixes the issue.  By the way, I think that the NULL check you added for (prev_ptr->value), should it ever be NULL, need to be performed before looking at (prev_ptr->value)->value.str.val, or else you would end up NULL-pointer dereference.

Thanks.
 [2009-08-18 01:23 UTC] yonetani at spireinc dot jp
Hi, can someone tell me the status on this issue?  Any plan on a new release?  I'm looking forward to hearing from you.

Thanks in advance.
 [2009-08-18 02:05 UTC] abhargav at in dot ibm dot com
Hi,

Currently I am working on some other issue and hence release got delayed. I will try to make a release ASAP.

Regards,
Ambrish Bhargava
 [2009-12-24 03:19 UTC] abhargav at in dot ibm dot com
Thank you for your bug report. This issue has been fixed
in the latest released version of the package, which you can download at
http://pecl.php.net/get/ibm_db2


 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 15:01:22 2019 UTC