php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63530 mysqlnd_stmt::bind_one_parameter uses wrong alloc for stmt->param_bind
Submitted: 2012-11-15 18:34 UTC Modified: 2013-03-14 14:05 UTC
From: geoff at lollywollydoodle dot com Assigned: mysql
Status: Closed Package: MySQL related
PHP Version: 5.3.18 OS: OS X 10.8.2
Private report: No CVE-ID:
 [2012-11-15 18:34 UTC] geoff at lollywollydoodle dot com
Description:
------------
This issue is specific to PDO, mysqlnd, PDO::ATTR_EMULATE_PREPARES => false, and 
PDO::ATTR_PERSISTENT => true.

When you run a prepared statement with parameters this way, PHP crashes.

My fix is essentially the same as the one for bug 61411 but just in a different 
function.  I browsed around git for at some other HEADs including master and it 
looks like this issue is still there in all of them.

Test script:
---------------
$dbh = new PDO('mysql:host=' . DBHOST . ';dbname=' . DBDATA, DBUSER, DBPASS,
		array(PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_PERSISTENT => true));
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$s = $dbh->prepare('select * from t where id = :id limit 1');
$s->execute(array(':id' => 1));

$r = $s->fetch(PDO::FETCH_ASSOC);

Expected result:
----------------
Script to not crash, result set to be available

Actual result:
--------------
PHP crashes (php-cgi or httpd process).


#0  0x00007fff89a4a558 in malloc_error_break ()
#1  0x00007fff89a4b912 in free ()
#2  0x000000010a874c00 in _mysqlnd_pefree (ptr=0x103, persistent=1 '\001') at 
mysqlnd_debug.c:1062
#3  0x000000010a876107 in php_mysqlnd_stmt_free_stmt_content_pub 
(s=0x7fdb94bf44d0) at mysqlnd_ps.c:2114
#4  0x000000010a877023 in php_mysqlnd_stmt_net_close_priv (s=0x7fdb94bf44d0, 
implicit=33 '!') at mysqlnd_ps.c:2209
#5  0x000000010a875f6e in php_mysqlnd_stmt_dtor_pub (s=0x103, implicit=0 '\0') 
at mysqlnd_ps.c:2236
#6  0x000000010a756233 in pdo_mysql_stmt_dtor (stmt=0x10ae7f438) at 
mysql_statement.c:64
#7  0x000000010a7503a5 in free_statement (stmt=0x103) at pdo_stmt.c:2406
#8  0x000000010a8f0041 in zend_objects_store_del_ref_by_handle_ex (handle=259, 
handlers=0x10af16000) at zend_objects_API.c:220
#9  0x000000010a8f00fa in zend_objects_store_del_ref (zobject=0x10b122100) at 
zend_objects_API.c:173
#10 0x000000010a8c46da in _zval_dtor [inlined] () at /Users/geoff/php-
5.3.17/Zend/zend_variables.h:35
#11 0x000000010a8c46da in _zval_ptr_dtor (zval_ptr=0x103) at 
zend_variables.h:447
#12 0x000000010a9354dd in zend_leave_helper_SPEC (execute_data=0x103) at 
zend_vm_execute.h:160
#13 0x000000010a934b31 in execute (op_array=0x103) at zend_vm_execute.h:107
#14 0x000000010a8c5af5 in zend_call_function (fci=0x7fff55971af8) at 
zend_execute_API.c:969
#15 0x000000010a8072f6 in zif_call_user_func_array (ht=259, 
return_value=0x10b1214d0, return_value_ptr=0x1000, this_ptr=0x7fff8a0f45de, 
return_value_used=0) at basic_functions.c:4814
#16 0x000000010a934439 in zend_do_fcall_common_helper_SPEC (execute_data=0x103) 
at zend_vm_execute.h:320
#17 0x000000010a934b31 in execute (op_array=0x10b041508) at 
zend_vm_execute.h:107
#18 0x000000010a8c5af5 in zend_call_function (fci=0x7fff55971d98) at 
zend_execute_API.c:969
#19 0x000000010a8072f6 in zif_call_user_func_array (ht=184816904, 
return_value=0x10b12a6e8, return_value_ptr=0x1000, this_ptr=0x7fff8a0f45de, 
return_value_used=0) at basic_functions.c:4814
#20 0x000000010a934439 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x10b041508) at zend_vm_execute.h:320
#21 0x000000010a934b31 in execute (op_array=0x10b040fa0) at 
zend_vm_execute.h:107
#22 0x000000010a8cf878 in zend_execute_scripts (type=8, retval=0x7fff55972010, 
file_count=1435967504) at zend.c:1236
#23 0x000000010a87db02 in php_execute_script (primary_file=0x7fff559726b8) at 
main.c:2308
#24 0x000000010a949c90 in php_handler (r=0x10b040fa0) at sapi_apache2.c:669
#25 0x000000010a28ee8d in ap_run_handler ()
#26 0x000000010a28f592 in ap_invoke_handler ()
#27 0x000000010a2c4e44 in ap_internal_redirect ()
#28 0x000000010a5e2d65 in handler_redirect ()
#29 0x000000010a28ee8d in ap_run_handler ()
#30 0x000000010a28f592 in ap_invoke_handler ()
#31 0x000000010a2c4efb in ap_process_request ()
#32 0x000000010a2c1043 in ap_process_http_connection ()
#33 0x000000010a2a40ad in ap_run_process_connection ()
#34 0x000000010a2a465b in ap_process_connection ()
#35 0x000000010a2ceeec in child_main ()
#36 0x000000010a2cd99e in make_child ()
#37 0x000000010a2cda50 in startup_children ()
#38 0x000000010a2ccb1f in ap_mpm_run ()
#39 0x000000010a297b12 in main ()

Patches

bind_one_parameter_alloc.patch (last revision 2012-11-15 18:34 UTC) by geoff at lollywollydoodle dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-03-12 15:44 UTC] uw@php.net
Andrey, can you apply the patch? Looks fine to me.
 [2013-03-12 15:44 UTC] uw@php.net
-Assigned To: +Assigned To: mysql
 [2013-03-14 14:05 UTC] andrey@php.net
Fixed pushed in 5.3-dev. Will be part of the next releases of 5.3, 5.4 and 5.5.
 [2013-03-14 14:05 UTC] andrey@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 25 07:02:14 2014 UTC