PHP :: Bug #62255 :: PDO ODBC Segfaults on SQL_SUCCESS_WITH_INFO with SQL_NO

Bug #62255

PDO ODBC Segfaults on SQL_SUCCESS_WITH_INFO with SQL_NO_TOTAL

Submitted:

2012-06-07 21:58 UTC

Modified:

2020-10-11 04:22 UTC

Votes:	5
Avg. Score:	4.6 ± 0.8
Reproduced:	5 of 5 (100.0%)
Same Version:	2 (40.0%)
Same OS:	2 (40.0%)

From:

ramsden at shsu dot edu

Assigned:

cmb (profile)

Status:

No Feedback

Package:

PDO ODBC

PHP Version:

5.3.13

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2012-06-07 21:58 UTC] ramsden at shsu dot edu

Description:
------------
PDO ODBC is segfaulting when grabbing CLOB data from a MIMER database. When the 
length of the column's content is <= 256 "C->fetched_len" is equal to the actual 
length and the CLOB data is returned correctly. When it's greater than 256 "C-
>fetched_len" is equal to SQL_NO_TOTAL (-4) and we fall through to the ELSE 
block in odbc_stmt.c:645.

The code prior to this patch (https://github.com/php/php-
src/commit/283accdf159ed98f5ac4d2f89f9ee2a2de1c946a#ext/pdo_odbc/odbc_stmt.c) 
returned CLOB data correctly. With the call to emalloc() and memcpy() having 
been replaced with a call to estrndup() we now see segfaults:


Sample table for code below:
---------------

create table blah.clobtest (
id bigint not null,
data clob,

primary key(id)
);

-- grabbing this works correctly
insert into blah.clobtest (1,
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx'
);

-- grabbing this causes php pdo segfault
insert into blah.clobtest (2,
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
);

Test script:
---------------
<?php

try
{
    echo "connecting to local mimer...\n";

    $db = new PDO('odbc:DSN=test;UID=sysadm;PWD=password');
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $stmt = $db->prepare("select id,data from blah.clobtest where id = 2");
    $stmt->execute();

    $row = $stmt->fetch(PDO::FETCH_ASSOC);

    print_r($row);
}
catch (Exception $e) 
{
    die($e->getMessage());
}

Expected result:
----------------
It should return an array('ID' => [int], 'DATA' => [string]) of CLOB data 
regardless of CLOB length.

Actual result:
--------------
colt@debian:~/Desktop$ gdb php
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/bin/php...done.
(gdb) run test.php
Starting program: /usr/local/bin/php test.php [Thread debugging using 
libthread_db enabled] connecting to local mimer...
[Thu Jun  7 16:39:35 2012]  Script:  'test.php'
---------------------------------------
/home/colt/Downloads/php-5.3.13/ext/pdo_odbc/odbc_stmt.c(679) : Block 0x08962910 
status:
Invalid pointer: ((size=0x00000135) != (next.prev=0x78787878))
---------------------------------------

Program received signal SIGSEGV, Segmentation fault.
0x083c9188 in zend_mm_search_large_block (heap=0x8828470, true_size=8240) at 
/home/colt/Downloads/php-5.3.13/Zend/zend_alloc.c:1803
1803			if (ZEND_MM_FREE_BLOCK_SIZE(p) < 
ZEND_MM_FREE_BLOCK_SIZE(best_fit)) {
(gdb) bt
#0  0x083c9188 in zend_mm_search_large_block (heap=0x8828470, true_size=8240) at 
/home/colt/Downloads/php-5.3.13/Zend/zend_alloc.c:1803
#1  0x083c9349 in _zend_mm_alloc_int (heap=0x8828470, size=8192, 
__zend_filename=0x87a5b88 "/home/colt/Downloads/php-
5.3.13/ext/pdo_odbc/odbc_stmt.c", 
    __zend_lineno=679, __zend_orig_filename=0x0, __zend_orig_lineno=0) at 
/home/colt/Downloads/php-5.3.13/Zend/zend_alloc.c:1862
#2  0x083c9b15 in _zend_mm_realloc_int (heap=0x8828470, p=0x8962910, size=8192, 
__zend_filename=0x87a5b88 "/home/colt/Downloads/php-
5.3.13/ext/pdo_odbc/odbc_stmt.c", 
    __zend_lineno=679, __zend_orig_filename=0x0, __zend_orig_lineno=0) at 
/home/colt/Downloads/php-5.3.13/Zend/zend_alloc.c:2056
#3  0x083caa39 in _erealloc (ptr=0x8962910, size=8192, allow_failure=0, 
__zend_filename=0x87a5b88 "/home/colt/Downloads/php-
5.3.13/ext/pdo_odbc/odbc_stmt.c", 
    __zend_lineno=679, __zend_orig_filename=0x0, __zend_orig_lineno=0) at 
/home/colt/Downloads/php-5.3.13/Zend/zend_alloc.c:2371
#4  0x082106a7 in odbc_stmt_get_col (stmt=0x8961658, colno=1, ptr=0xbfffcd8c, 
len=0xbfffcd88, caller_frees=0xbfffcd84, tsrm_ls=0x8827050)
    at /home/colt/Downloads/php-5.3.13/ext/pdo_odbc/odbc_stmt.c:679
#5  0x0820590a in fetch_value (stmt=0x8961658, dest=0x89628cc, colno=1, 
type_override=0x0, tsrm_ls=0x8827050)
    at /home/colt/Downloads/php-5.3.13/ext/pdo/pdo_stmt.c:561
#6  0x0820739e in do_fetch (stmt=0x8961658, do_bind=1, return_value=0x896279c, 
how=PDO_FETCH_ASSOC, ori=PDO_FETCH_ORI_NEXT, offset=0, return_all=0x0, 
    tsrm_ls=0x8827050) at /home/colt/Downloads/php-
5.3.13/ext/pdo/pdo_stmt.c:1046
#7  0x0820815e in zim_PDOStatement_fetch (ht=1, return_value=0x896279c, 
return_value_ptr=0x0, this_ptr=0x8960260, return_value_used=1, 
tsrm_ls=0x8827050)
    at /home/colt/Downloads/php-5.3.13/ext/pdo/pdo_stmt.c:1322
#8  0x084278c5 in zend_do_fcall_common_helper_SPEC (execute_data=0x8990de4, 
tsrm_ls=0x8827050) at /home/colt/Downloads/php-5.3.13/Zend/zend_vm_execute.h:320
#9  0x0842812d in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x8990de4, 
tsrm_ls=0x8827050) at /home/colt/Downloads/php-5.3.13/Zend/zend_vm_execute.h:425
#10 0x08426b5e in execute (op_array=0x8960110, tsrm_ls=0x8827050) at 
/home/colt/Downloads/php-5.3.13/Zend/zend_vm_execute.h:107
#11 0x083f43f1 in zend_execute_scripts (type=8, tsrm_ls=0x8827050, retval=0x0, 
file_count=3) at /home/colt/Downloads/php-5.3.13/Zend/zend.c:1236
#12 0x0836eb1e in php_execute_script (primary_file=0xbffff3a8, 
tsrm_ls=0x8827050) at /home/colt/Downloads/php-5.3.13/main/main.c:2308
#13 0x084d06ba in main (argc=2, argv=0xbffff524) at /home/colt/Downloads/php-
5.3.13/sapi/cli/php_cli.c:1184
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-01-01 12:37 UTC] felipe@php.net

-Package: PDO related +Package: PDO ODBC

[2020-09-29 15:14 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2020-09-29 15:14 UTC] cmb@php.net

This appears to be a duplicate of bug #62379, which has been fixed
long ago, or can you still reproduce this problem with any of the
actively supported PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>

[2020-10-11 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue May 06 10:01:29 2025 UTC