php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65337 Segmentation Fault in _zend_mm_free_int using mysqlnd
Submitted: 2013-07-25 16:35 UTC Modified: 2013-07-29 15:56 UTC
From: pool at unimca dot com Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 5.4.17 OS: Linux Debian Wheezy amd64
Private report: No CVE-ID: None
 [2013-07-25 16:35 UTC] pool at unimca dot com
Description:
------------
I get recurring (script to reproduce attached) segmentation faults. Both PHP 5.4.17 and 5.4.4.
When I query mySQL using:
- mysqli
- mysqlnd (native driver)
- prepared statements
- specific number o parameters
For me a number of parameters in the provided script of 1923-2033 produce the error. A number below or above works fine. The numbers might vary from system to system (I don't know). To take this into account, I made the script loop with different numbers of parameters.

The Apache2 log reports: [notice] child pid 30414 exit signal Segmentation fault (11)

I get the same error when using PDO and prepared statements (with real prepared statements, ATTR_EMULATE_PREPARES = false).

I compiled PHP 5.4.17 myself (I'm not experienced in doing so). PHP 5.4.4 was out of the box.
Both use mysqlnd in what seems to be the same version 5.0.10 ((?) according to phpinfo()).

mySQL is out of the box wheezy: is Ver 14.14 Distrib 5.5.31, for debian-linux-gnu (x86_64) using readline 6.2. Using InnoDB
Debian Wheezy is: 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux

Can anyone confirm that this is not specific to my machine/installation ?



Test script:
---------------
<?php 
  
/*
CREATE DATABASE testDatabase
 CHARACTER SET utf8
 DEFAULT CHARACTER SET utf8
 COLLATE utf8_general_ci
 DEFAULT COLLATE utf8_general_ci;
USE testDatabase;
SET NAMES 'utf8';

GRANT CREATE, ALTER, INDEX, DROP, CREATE TEMPORARY TABLES, SELECT, INSERT, UPDATE, DELETE ON testDatabase.* TO 'testUser'@'localhost' IDENTIFIED BY 'testPassword';
GRANT CREATE, ALTER, INDEX, DROP, CREATE TEMPORARY TABLES, SELECT, INSERT, UPDATE, DELETE ON testDatabase.* TO 'testUser'@'localhost.localdomain' IDENTIFIED BY 'testPassword';
FLUSH PRIVILEGES;

CREATE TABLE `testTable` (
  `testField` binary(16) NOT NULL,
  `content` varchar(30) NOT NULL,
  PRIMARY KEY (`testField`)
);
*/

for($j=2;$j<65000;$j++)
{

$arBind = array();
$sBind = '';

for($i=0;$i<$j;$i++) //$j = number parameters for prepared statement

    {
    $sBind .= 's';
    $arBind[] = '00000000000000000000000000000000';
    }
echo '<br>Going to probe number of parameters: ' . count($arBind);    
ob_flush(); //print it to browser right away, not required for script
flush();    //print it to browser right away, not required for script

//Constructing the query
$query = 'SELECT * from testTable WHERE testField IN(unhex(?)';
$questionMarksMinus1 = count($arBind) - 1; //1 questionmark already set in query
for($i=1;$i<=$questionMarksMinus1;$i++)
    {
    $query .= ',unhex(?)';
    }
$query .= ')';

$mysqliConn= mysqli_connect('127.0.0.1', 'testUser', 'testPassword');
$mysqliConn->select_db('testDatabase');
$mysqliSTMT = $mysqliConn->stmt_init();
$mysqliSTMT->prepare($query);

array_unshift($arBind,$sBind); //add the type string to the beginning of the array
$arBindRef = array(); //bind the parameters. bind_param expects references and not values -> making new reference array
foreach($arBind as $key => $value)
    {
    $arBindRef[] = &$arBind[$key];
    } 
call_user_func_array(array($mysqliSTMT,'bind_param'),$arBindRef);

$mysqliSTMT->execute(); //here the problem occurs

}

echo '<br>FINISHED';
?>

Expected result:
----------------
No segementation fault

Actual result:
--------------
  (gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
_zend_mm_free_int (heap=0x7f7a2473fa40, p=0x7f7a19cd5f38) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_alloc.c:2100
2100            if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
(gdb) bt
#0  _zend_mm_free_int (heap=0x7f7a2473fa40, p=0x7f7a19cd5f38) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_alloc.c:2100
#1  0x00007f7a1eb08afd in _mysqlnd_pefree (ptr=<optimized out>, persistent=0 '\000') at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_alloc.c:372
#2  0x00007f7a1eb14cfa in mysqlnd_internal_free_result_contents (result=0x7f7a19d479e8) at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_result.c:288
#3  0x00007f7a1eb14d1a in mysqlnd_internal_free_result (result=0x7f7a19d479e8) at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_result.c:302
#4  0x00007f7a1eb1b9a1 in php_mysqlnd_stmt_free_stmt_content_pub (s=0x7f7a19cc6ae0) at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2115
#5  0x00007f7a1eb1cc4c in php_mysqlnd_stmt_net_close_priv (s=<optimized out>, implicit=<optimized out>) at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2203
#6  0x00007f7a1eb1b66e in php_mysqlnd_stmt_dtor_pub (s=0x7f7a19cc6ae0, implicit=1 '\001') at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2229
#7  0x00007f7a1e9ab018 in php_clear_stmt_bind (stmt=0x7f7a19f1d658) at /home/myUser/DebMaking/php-5.4.17/ext/mysqli/mysqli.c:164
#8  0x00007f7a1e9ab06a in mysqli_stmt_free_storage (object=0x7f7a19cc6860) at /home/myUser/DebMaking/php-5.4.17/ext/mysqli/mysqli.c:255
#9  0x00007f7a1ebada26 in zend_objects_store_del_ref_by_handle_ex (handle=2, handlers=<optimized out>) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_objects_API.c:221
#10 0x00007f7a1ebada43 in zend_objects_store_del_ref (zobject=0x7f7a19cc5360) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_objects_API.c:173
#11 0x00007f7a1eb77d29 in _zval_dtor (zvalue=<optimized out>) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_variables.h:35
#12 _zval_ptr_dtor (zval_ptr=0x7f7a19cc6918) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:436
#13 _zval_ptr_dtor (zval_ptr=0x7f7a19cc6918) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:425
#14 0x00007f7a1eb930a5 in zend_hash_apply_deleter (ht=ht@entry=0x7f7a1f396d08, p=p@entry=0x7f7a19cc6900) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_hash.c:650
#15 0x00007f7a1eb94be1 in zend_hash_reverse_apply (ht=ht@entry=0x7f7a1f396d08, apply_func=apply_func@entry=0x7f7a1eb77bb0 <zval_call_destructor>)
    at /home/myUser/DebMaking/php-5.4.17/Zend/zend_hash.c:804
#16 0x00007f7a1eb78041 in shutdown_destructors () at /home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:217
#17 0x00007f7a1eb86ac7 in zend_call_destructors () at /home/myUser/DebMaking/php-5.4.17/Zend/zend.c:922
#18 0x00007f7a1eb27e25 in php_request_shutdown (dummy=dummy@entry=0x0) at /home/myUser/DebMaking/php-5.4.17/main/main.c:1742
#19 0x00007f7a1ec305af in php_apache_request_dtor (r=<optimized out>) at /home/myUser/DebMaking/php-5.4.17/sapi/apache2handler/sapi_apache2.c:507
#20 php_handler (r=0x7f7a22af20a0) at /home/myUser/DebMaking/php-5.4.17/sapi/apache2handler/sapi_apache2.c:679
#21 0x00007f7a22d0db60 in ap_run_handler ()
#22 0x00007f7a22d0dfab in ap_invoke_handler ()
#23 0x00007f7a22d1e088 in ap_process_request ()
#24 0x00007f7a22d1af48 in ?? ()
#25 0x00007f7a22d14520 in ap_run_process_connection ()
#26 0x00007f7a22d22cb9 in ?? ()
#27 0x00007f7a22d233d2 in ?? ()
#28 0x00007f7a22d23f36 in ap_mpm_run ()
#29 0x00007f7a22cf8832 in main ()
(gdb) bt full
#0  _zend_mm_free_int (heap=0x7f7a2473fa40, p=0x7f7a19cd5f38) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_alloc.c:2100
        mm_block = 0x7f7a19cd5f28
        next_block = 0x3030afaa49fd8f58
        size = 3472328296227680304
#1  0x00007f7a1eb08afd in _mysqlnd_pefree (ptr=<optimized out>, persistent=0 '\000') at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_alloc.c:372
        free_amount = <optimized out>
        collect_memory_statistics = 0 '\000'
#2  0x00007f7a1eb14cfa in mysqlnd_internal_free_result_contents (result=0x7f7a19d479e8) at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_result.c:288
No locals.
#3  0x00007f7a1eb14d1a in mysqlnd_internal_free_result (result=0x7f7a19d479e8) at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_result.c:302
No locals.
#4  0x00007f7a1eb1b9a1 in php_mysqlnd_stmt_free_stmt_content_pub (s=0x7f7a19cc6ae0) at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2115
        stmt = 0x7f7a19cc6b30
#5  0x00007f7a1eb1cc4c in php_mysqlnd_stmt_net_close_priv (s=<optimized out>, implicit=<optimized out>) at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2203
        stmt = 0x7f7a19cc6b30
        conn = <optimized out>
        cmd_buf = "\001\000\000"
        statistic = <optimized out>
#6  0x00007f7a1eb1b66e in php_mysqlnd_stmt_dtor_pub (s=0x7f7a19cc6ae0, implicit=1 '\001') at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2229
        stmt = 0x7f7a19cc6b30
        ret = FAIL
        persistent = 0 '\000'
#7  0x00007f7a1e9ab018 in php_clear_stmt_bind (stmt=0x7f7a19f1d658) at /home/myUser/DebMaking/php-5.4.17/ext/mysqli/mysqli.c:164
No locals.
#8  0x00007f7a1e9ab06a in mysqli_stmt_free_storage (object=0x7f7a19cc6860) at /home/myUser/DebMaking/php-5.4.17/ext/mysqli/mysqli.c:255
        stmt = <optimized out>
        zo = 0x7f7a19cc6860
        intern = 0x7f7a19cc6860
        my_res = <optimized out>
#9  0x00007f7a1ebada26 in zend_objects_store_del_ref_by_handle_ex (handle=2, handlers=<optimized out>) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_objects_API.c:221
        __orig_bailout = <optimized out>
        __bailout = {{__jmpbuf = {140162395558752, -8192091644916044739, 140162395540600, 140162486594824, 140162478078896, 140735356192568, -8123113098347975619, 
              -8192088360732496835}, __mask_was_saved = 0, __saved_mask = {__val = {140162477808826, 140161962737665, 0, 5283658345051342928, 140162477785156, 0, 
                140162542126972, 0, 0, 140735356190832, 140162397992704, 140162531681520, 140162477986829, 140162486592512, 0, 0}}}}
        obj = 0x7f7a19f05070
        failure = <optimized out>
#10 0x00007f7a1ebada43 in zend_objects_store_del_ref (zobject=0x7f7a19cc5360) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_objects_API.c:173
        handle = <optimized out>
#11 0x00007f7a1eb77d29 in _zval_dtor (zvalue=<optimized out>) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_variables.h:35
No locals.
#12 _zval_ptr_dtor (zval_ptr=0x7f7a19cc6918) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:436
No locals.
#13 _zval_ptr_dtor (zval_ptr=0x7f7a19cc6918) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:425
No locals.
#14 0x00007f7a1eb930a5 in zend_hash_apply_deleter (ht=ht@entry=0x7f7a1f396d08, p=p@entry=0x7f7a19cc6900) at /home/myUser/DebMaking/php-5.4.17/Zend/zend_hash.c:650
        retval = <optimized out>
#15 0x00007f7a1eb94be1 in zend_hash_reverse_apply (ht=ht@entry=0x7f7a1f396d08, apply_func=apply_func@entry=0x7f7a1eb77bb0 <zval_call_destructor>)
    at /home/myUser/DebMaking/php-5.4.17/Zend/zend_hash.c:804
        result = 1
        p = 0x7f7a19cc0c78
        q = 0x7f7a19cc6900
#16 0x00007f7a1eb78041 in shutdown_destructors () at /home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:217
        symbols = 14
        __orig_bailout = 0x7fff80e9bf30
        __bailout = {{__jmpbuf = {140162486594432, -8192091645151974339, 140162544640160, 140162549147716, -4294967295, 140735356192568, -8123113101239948227, 
              -8192088332522132419}, __mask_was_saved = 0, __saved_mask = {__val = {140162482955400, 140162397992704, 140162477812253, 0, 140162397992840, 103079215104, 
                140162477986829, 140162397992896, 140162477986829, 0, 433992944, 8, 140162396730936, 7, 23, 140162486594824}}}}
#17 0x00007f7a1eb86ac7 in zend_call_destructors () at /home/myUser/DebMaking/php-5.4.17/Zend/zend.c:922
        __orig_bailout = <optimized out>
        __bailout = {{__jmpbuf = {140162486594432, -8192091645151974339, 140162544640160, 140162549147716, -4294967295, 140735356192568, -8123113101273502659, 
              -8192088337574958019}, __mask_was_saved = 0, __saved_mask = {__val = {140735356192568, 140735356191360, 140162537525486, 3, 140735356191400, 
                140162479205191, 140162544640040, 140162477998400, 140162574668336, 140162544603136, 140162544606128, 8, 18446744069414584321, 140162486592808, 
                140162486592512, 140162544640160}}}}
---Type <return> to continue, or q <return> to quit---
#18 0x00007f7a1eb27e25 in php_request_shutdown (dummy=dummy@entry=0x0) at /home/myUser/DebMaking/php-5.4.17/main/main.c:1742
        __orig_bailout = <optimized out>
        __bailout = {{__jmpbuf = {140162486594432, -8192091645151974339, 140162544640160, 140162549147716, -4294967295, 140735356192568, -8123113101149770691, 
              -8192088286588605379}, __mask_was_saved = 0, __saved_mask = {__val = {140162544640040, 4, 140162544606160, 140735356191600, 140162537483668, 
                140162483051270, 140162544606128, 140162483051320, 140162544643688, 4294967400, 409318933599, 55834574848, 140162544643984, 140162483051323, 
                140162544640160, 140162486593120}}}}
        report_memleaks = 1 '\001'
#19 0x00007f7a1ec305af in php_apache_request_dtor (r=<optimized out>) at /home/myUser/DebMaking/php-5.4.17/sapi/apache2handler/sapi_apache2.c:507
No locals.
#20 php_handler (r=0x7f7a22af20a0) at /home/myUser/DebMaking/php-5.4.17/sapi/apache2handler/sapi_apache2.c:679
        ctx = 0x7f7a22aefe08
        conf = 0x7f7a22c203d8
        brigade = 0x7f7a22ae9b08
        bucket = <optimized out>
        rv = <optimized out>
        parent_req = 0x0
#21 0x00007f7a22d0db60 in ap_run_handler ()
No symbol table info available.
#22 0x00007f7a22d0dfab in ap_invoke_handler ()
No symbol table info available.
#23 0x00007f7a22d1e088 in ap_process_request ()
No symbol table info available.
#24 0x00007f7a22d1af48 in ?? ()
No symbol table info available.
#25 0x00007f7a22d14520 in ap_run_process_connection ()
No symbol table info available.
#26 0x00007f7a22d22cb9 in ?? ()
No symbol table info available.
#27 0x00007f7a22d233d2 in ?? ()
No symbol table info available.
#28 0x00007f7a22d23f36 in ap_mpm_run ()
No symbol table info available.
#29 0x00007f7a22cf8832 in main ()
No symbol table info available.


phpinfo() of my 5.4.17:
  Configure Command    './configure' '--prefix=/usr' '--with-mysql=mysqlnd' '--with-mysqli=mysqlnd' '--with-pdo-mysql=mysqlnd' '--with-apxs2=/usr/bin/apxs2' '--with-libdir=/lib/x86_64-linux-gnu' '--without-db4' '--without-qdbm' '--without-gdbm' '--without-imap' '--with-sqlite3' '--with-gd' '--with-config-file-path=/etc/php5/apache2' '--with-config-file-scan-dir=/etc/php5/apache2/conf.d' '--build=x86_64-linux-gnu' '--host=x86_64-linux-gnu' '--sysconfdir=/etc' '--localstatedir=/var' '--mandir=/usr/share/man' '--disable-debug' '--with-regex=php' '--disable-rpath' '--disable-static' '--with-pic' '--with-layout=GNU' '--with-pear=/usr/share/php' '--enable-calendar' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-bcmath' '--with-bz2' '--enable-ctype' '--with-iconv' '--enable-exif' '--enable-ftp' '--with-gettext' '--enable-mbstring' '--with-onig=/usr' '--with-pcre-regex=/usr' '--enable-shmop' '--enable-sockets' '--enable-wddx' '--with-libxml-dir=/usr' '--with-zlib' '--with-kerberos=/usr' '--with-openssl=/usr' '--enable-soap' '--enable-zip' '--with-mhash=yes' '--with-system-tzdata' '--with-mysql-sock=/var/run/mysqld/mysqld.sock' '--without-mm' '--with-curl=shared,/usr' '--with-enchant=shared,/usr' '--with-zlib-dir=/usr' '--enable-gd-native-ttf' '--with-gmp=shared,/usr' '--with-jpeg-dir=shared,/usr' '--with-xpm-dir=shared,/usr/X11R6' '--with-png-dir=shared,/usr' '--with-freetype-dir=shared,/usr' '--with-imap-ssl' '--enable-intl=shared' '--without-t1lib' '--with-ldap=shared,/usr' '--with-ldap-sasl=/usr' '--with-mcrypt=shared,/usr' '--with-pspell=shared,/usr' '--with-recode=shared,/usr' '--with-xsl=shared,/usr' '--with-snmp=shared,/usr' '--with-mssql=shared,/usr' '--with-tidy=shared,/usr' '--with-xmlrpc=shared' '--with-pgsql=shared,/usr'


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-28 13:34 UTC] pool at unimca dot com
Error also occurs with integer key:

CREATE TABLE `testTable` (
  `id` int auto_increment,
  `content` varchar(30) NOT NULL,
  PRIMARY KEY (`id`)
);
 [2013-07-29 15:56 UTC] johannes@php.net
-Status: Open +Status: Duplicate
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Dec 02 06:03:34 2021 UTC