php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65434 signal Segmentation fault (11),
Submitted: 2013-08-10 11:28 UTC Modified: 2017-10-24 08:42 UTC
From: sn at datainfratech dot com Assigned:
Status: Suspended Package: ingres (PECL)
PHP Version: Irrelevant OS: see in Lilnux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sn at datainfratech dot com
New email:
PHP Version: OS:

 

 [2013-08-10 11:28 UTC] sn at datainfratech dot com
Description:
------------
I don't think the php version is important here but more a small bug in the 
302098 version of ingres.c, I'm using ingres driver version 2.2.4.

It's not really easy to reproduce it, quick and direct php code, so I can't 
really provide a test case but I can test the changes, once implemented.

Locally I collected the core files and the top of the call stack looks like:

#0  0x00007f4b0fa60453 in php_ii_result_remove (ii_result=0x7f4b1ffbb450, 
result_id=3) at /opt/build/ingres-2.2.4.working/ingres.c:3500
#1  0x00007f4b0fa60717 in php_close_ii_result (rsrc=<value optimized out>) at 
/opt/build/ingres-2.2.4.working/ingres.c:818
#2  0x00007f4b1479a60e in ?? () from /etc/httpd/modules/libphp5.so
#3  0x00007f4b147997cc in zend_hash_del_key_or_index () from 
/etc/httpd/modules/libphp5.so
#4  0x00007f4b1479a8c9 in _zend_list_delete () from 
/etc/httpd/modules/libphp5.so
#5  0x00007f4b0fa5b89d in _free_ii_link_result_list (ii_link=0x7f4b1fffefe0) at 
/opt/build/ingres-2.2.4.working/ingres.c:773
#6  0x00007f4b0fa618fb in _close_ii_link (ii_link=0x0) at /opt/build/ingres-
2.2.4.working/ingres.c:651
#7  0x00007f4b1479a60e in ?? () from /etc/httpd/modules/libphp5.so
#8  0x00007f4b147997cc in zend_hash_del_key_or_index () from 
/etc/httpd/modules/libphp5.so
#9  0x00007f4b1479a8c9 in _zend_list_delete () from 
/etc/httpd/modules/libphp5.so
#10 0x00007f4b1477f18a in _zval_ptr_dtor () from /etc/httpd/modules/libphp5.so

to fix this seg fault I'm just checking if type_name exists before actually 
using it in strcmp, since both resource and type_name are NULL when this 
happens.

The above call stack points to like 3500 but the problem is seen at like 818 as 
well, in my environment I already fixed that before I got into the second core 
with the above call stack.

The solution:

[root@ts01 build]# diff ingres-2.2.4/ingres.c ingres-2.2.4.working/ingres.c
818c818
<         if ((strcmp("ingres connection",type_name) == 0 ) || (strcmp("ingres 
persistent connection",type_name) == 0 ))
---
>         if (type_name && ((strcmp("ingres connection",type_name) == 0 ) || 
(strcmp("ingres persistent connection",type_name) == 0 )))
3500c3500
<         if ((strcmp("ingres connection",type_name) == 0 ) || (strcmp("ingres 
persistent connection",type_name) == 0 ))
---
>         if (type_name && ((strcmp("ingres connection",type_name) == 0 ) || 
(strcmp("ingres persistent connection",type_name) == 0 )))
3558,3559c3558,3561
<             php_error_docref(NULL TSRMLS_CC, E_ERROR, "php_ii_result_remove : 
An unknown resource type was passed");
<             return II_FAIL;
---
>             if(type_name){
>                 php_error_docref(NULL TSRMLS_CC, E_ERROR, 
"php_ii_result_remove : An unknown resource type was passed");
>                 return II_FAIL;
>             }

I don't see any problems after compiling it and restarting httpd.

Expected result:
----------------
output result

Actual result:
--------------
#0  0x00007f4b0fa60453 in php_ii_result_remove (ii_result=0x7f4b1ffbb450, 
result_id=3) at /opt/build/ingres-2.2.4.working/ingres.c:3500
#1  0x00007f4b0fa60717 in php_close_ii_result (rsrc=<value optimized out>) at 
/opt/build/ingres-2.2.4.working/ingres.c:818
#2  0x00007f4b1479a60e in ?? () from /etc/httpd/modules/libphp5.so
#3  0x00007f4b147997cc in zend_hash_del_key_or_index () from 
/etc/httpd/modules/libphp5.so
#4  0x00007f4b1479a8c9 in _zend_list_delete () from 
/etc/httpd/modules/libphp5.so
#5  0x00007f4b0fa5b89d in _free_ii_link_result_list (ii_link=0x7f4b1fffefe0) at 
/opt/build/ingres-2.2.4.working/ingres.c:773
#6  0x00007f4b0fa618fb in _close_ii_link (ii_link=0x0) at /opt/build/ingres-
2.2.4.working/ingres.c:651
#7  0x00007f4b1479a60e in ?? () from /etc/httpd/modules/libphp5.so
#8  0x00007f4b147997cc in zend_hash_del_key_or_index () from 
/etc/httpd/modules/libphp5.so
#9  0x00007f4b1479a8c9 in _zend_list_delete () from 
/etc/httpd/modules/libphp5.so
#10 0x00007f4b1477f18a in _zval_ptr_dtor () from /etc/httpd/modules/libphp5.so


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-24 08:42 UTC] kalle@php.net
-Status: Open +Status: Suspended
 [2017-10-24 08:42 UTC] kalle@php.net
The ingres package has not had any activity for 4 years, so its safe to say that its no longer in active development, if activity picks backup then the maintainer can re-open this report
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Dec 04 08:03:38 2021 UTC