php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #6215 php core dumps on selects with blob columns
Submitted: 2000-08-17 09:49 UTC Modified: 2000-11-09 14:48 UTC
From: helmut dot koeberle at bytec dot de Assigned: danny (profile)
Status: Closed Package: Informix related
PHP Version: 4.0.3pl1 OS: Linux RedHat 6.1/6.2
Private report: No CVE-ID: None
 [2000-08-17 09:49 UTC] helmut dot koeberle at bytec dot de
./configure \
    --prefix=/usr \
    --with-informix \
    --without-mysql \
    --enable-debug \

example script:

<?php

$cid = ifx_connect("php_tests");
if (! $cid) { ifx_error(); ifx_errormsg(); die; }

//ifx_blobinfile_mode(0);
ifx_blobinfile_mode(1);

$rid = ifx_prepare("select doc from xxx", $cid);
if (! $rid) { ifx_error(); ifx_errormsg(); die; }
if (! ifx_do($rid)) { ifx_error(); ifx_errormsg(); die; }

$row = ifx_fetch_row($rid);
$blob = ifx_get_blob($row["doc"]);

ifx_free_blob($blob);
ifx_free_result($rid);
ifx_close($cid);

?>

gdb backtrace:

#0  0x4023ef93 in __libc_free (mem=0x80e964d) at malloc.c:3012
3012    malloc.c: No such file or directory.
(gdb) bt
#0  0x4023ef93 in __libc_free (mem=0x80e964d) at malloc.c:3012
#1  0x806ffa5 in php3_intifx_create_tmpfile (bid=1)
    at /tmp/php-4.0.1pl2/ext/informix/ifx.ec:3713
#2  0x806d186 in php_if_ifx_do (ht=1, return_value=0x8151614, this_ptr=0x0, 
    return_value_used=1) at /tmp/php-4.0.1pl2/ext/informix/ifx.ec:1661
#3  0x80e08f9 in execute (op_array=0x8132604) at ./zend_execute.c:1558
#4  0x805d7cb in php_execute_script (primary_file=0xbffffa44) at main.c:1157
#5  0x805c1c9 in main (argc=2, argv=0xbffffaa4) at cgi_main.c:661
(gdb) 


with ifx_blobinfile_mode(0) the error goes to:

#0  0x806fb58 in php3_intifx_free_blob (bid=0, list=0x812b138)
    at /tmp/php-4.0.1pl2/ext/informix/ifx.ec:3429
3429     if (type!=IFXL(le_idresult) && !(Ifx_blob->type==TYPE_BLTEXT || Ifx_blob->type==TYPE_BLBYTE)) {
(gdb) bt
#0  0x806fb58 in php3_intifx_free_blob (bid=0, list=0x812b138)
    at /tmp/php-4.0.1pl2/ext/informix/ifx.ec:3429
#1  0x806fb17 in php_if_ifx_free_blob (ht=1, return_value=0x818872c, 
    this_ptr=0x0, return_value_used=0)
    at /tmp/php-4.0.1pl2/ext/informix/ifx.ec:3402
#2  0x80e08f9 in execute (op_array=0x8132604) at ./zend_execute.c:1558
#3  0x805d7cb in php_execute_script (primary_file=0xbffffa34) at main.c:1157
#4  0x805c1c9 in main (argc=2, argv=0xbffffa94) at cgi_main.c:661
(gdb) 


if i convert some of the free-statements in 
php3_intifx_create_tmpfile() to efree-statements,
then the blob is stored in a tempfile, but php 
also dumps core in php3_intifx_free_blob().

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-09-04 17:01 UTC] danny@php.net
It is caused by the "tempnam()" function that fails for some reason or other
and the return value is not checked so that free gets called with NULL as
argument.

I don't know why tempnam() fails on you but not checking the return value
of tempnam() is a bug that will be fixed.

Danny
---
 [2000-09-04 17:20 UTC] danny@php.net
Fixed the crash caused by the invalid free() in the current CVS, but you will still have to find out why tempnam() fails on your system.

Danny
---
 [2000-10-18 09:12 UTC] helmut dot koeberle at bytec dot de
Changed to Version 4.0.3pl1 with the following error:

Program received signal SIGSEGV, Segmentation fault.
0x8087cbf in php3_intifx_get_blob (bid=0, list=0x81dc084, content=0xbfffe198)
    at /ali1/btc/src/apache/php-4.0.3pl1/ext/informix/ifx.ec:3622
3622     if (type!=IFXL(le_idresult) && !(Ifx_blob->type==TYPE_BLTEXT || Ifx_blob->type==TYPE_BLBYTE)) {
(gdb) bt
#0  0x8087cbf in php3_intifx_get_blob (bid=0, list=0x81dc084, 
    content=0xbfffe198)
    at /ali1/btc/src/apache/php-4.0.3pl1/ext/informix/ifx.ec:3622
#1  0x8087c40 in php_if_ifx_get_blob (ht=1, return_value=0x823b96c, 
    this_ptr=0x0, return_value_used=1)
    at /ali1/btc/src/apache/php-4.0.3pl1/ext/informix/ifx.ec:3594
#2  0x80fc9ec in execute (op_array=0x82084fc) at ./zend_execute.c:1519
#3  0x80d9bf8 in zend_execute_scripts (type=8, file_count=3) at zend.c:717
#4  0x8068821 in php_execute_script (primary_file=0xbffff854) at main.c:1200
#5  0x80671b9 in main (argc=2, argv=0xbffff8b4) at cgi_main.c:715

 [2000-10-30 12:30 UTC] helmut dot koeberle at bytec dot de
In line 3621 of ifx.ec:
Ifx_blob = (IFX_IDRES *) zend_list_find(bid,&type);
returns NULL and therefore in line 3622
if (type!=IFXL(le_idresult) && !(Ifx_blob->type==TYPE_BLTEXT || Ifx_blob->
type==TYPE_BLBYTE))
gets a SIGSEGV

We use INFORMIX-ESQL Version 9.30.UC1 and we can reproduce
this problem on RedHat, SuSE and Debian.
 [2000-11-09 14:48 UTC] danny@php.net
It was a user coding error, but using blob_in_file mode actually crashed 
php4 when generating the temp file by freeing memory that was never
allocated.

This crash is fixed in current CVS.

The erroneous script code :
  $blob = ifx_get_blob($row["doc"]);
  ifx_free_blob($blob); // $blob is not a blob id !

The correct script code :
  $blob_id = $row["doc"]; // first get the blob id
  $blob     = ifx_get_blob($blob_id);
  ifx_free_blob($blob_id); // free the blob id

You have to free the blob identifier, not the blob 
(which is a file name anyway in this case).

Danny
---
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Jan 19 01:01:25 2019 UTC