php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #6561 PHP crashes while retrieving data from Oracle
Submitted: 2000-09-05 16:21 UTC Modified: 2000-10-19 15:22 UTC
From: edink at proventum dot net Assigned:
Status: Closed Package: Reproducible Crash
PHP Version: 4.0.2 OS: Linux 2.2 (RedHat 6.2)
Private report: No CVE-ID: None
 [2000-09-05 16:21 UTC] edink at proventum dot net
Very hard to reproduce exactly. It happens while retrieving data from an Oracle 8 database. The same code works fine in 4.0.1pl2. The latest CVS (05/09/00) has the same problem.

It happens in the following code segment (please note that it works for some values of $parent while it fails on others):

---------------
    $reply=array();
    $cat=new Category;
    db_select("select * from $BASEDB.CATAGORY where PARENT_ID=$parent order by NAME");
    while (db_fetch_array($row))
      {
        $cat->id=$row["ID"];
        $cat->name=$row["NAME"];
        $cat->parent_id=$row["PARENT_ID"];
        $cat->is_leaf=($row["IS_LEAF"]=="Y"?1:0);
        $cat->custom=0;
        $reply[]=$cat;
      }
---------------
db_select will just do OciParse and then OciExecute, while db_fetch_array wraps OciFetchInto:

function db_fetch_array(&$a)
{
  global $DB_LINK, $STMT;
  $res=@ociFetchInto($STMT, $a, OCI_ASSOC+OCI_RETURN_NULLS+OCI_RETURN_LOBS);
  return $res;
}

Configure:
'./configure' '--enable-track-vars' '--disable-pear' '--with-ttf=/usr' '--with-ftp' '--with-gdbm' '--with-gd=/usr' '--with-oci8=/ora01/app/oracle/product/8.0.5' '--with-regex=system' '--enable-sysvsem' '--enable-sysvshm' '--enable-xml' '--disable-libtool-lock' '--with-apxs=/data/x5/apache/bin/apxs' '--disable-debug'

Backtrace:
(gdb) r -X
Starting program: /data/x5/apache/bin/httpd -X

Program received signal SIGSEGV, Segmentation fault.
0x4026747b in _efree (ptr=0x4034dd8c) at zend_alloc.c:212
212                     REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0  0x4026747b in _efree (ptr=0x4034dd8c) at zend_alloc.c:212
#1  0x4027dc72 in _zval_dtor (zvalue=0x81bedcc) at zend_variables.c:62
#2  0x40277b3b in _zval_ptr_dtor (zval_ptr=0x81cfcc0) at zend_execute_API.c:261
#3  0x40281ff4 in zend_hash_destroy (ht=0x81a604c) at zend_hash.c:564
#4  0x4027dc8f in _zval_dtor (zvalue=0x81ceb4c) at zend_variables.c:69
#5  0x40277b3b in _zval_ptr_dtor (zval_ptr=0x81c1ae8) at zend_execute_API.c:261
#6  0x40282094 in zend_hash_clean (ht=0x814b4ec) at zend_hash.c:590
#7  0x4027296c in execute (op_array=0x814b004) at ./zend_execute.c:1575
#8  0x4027eed0 in zend_execute_scripts (type=8, file_count=3) at zend.c:713
#9  0x4028e272 in php_execute_script (primary_file=0xbffff854) at main.c:1178
#10 0x4028aed9 in apache_php_module_main (r=0x8131eec, display_source_mode=0) at sapi_apache.c:89
#11 0x4028b79b in send_php (r=0x8131eec, display_source_mode=0, filename=0x0) at mod_php4.c:503
#12 0x4028b7cc in send_parsed_php (r=0x8131eec) at mod_php4.c:514
#13 0x80542e3 in ap_invoke_handler ()
#14 0x8067819 in process_request_internal ()
#15 0x806787c in ap_process_request ()
#16 0x805f11e in child_main ()
#17 0x805f2ac in make_child ()
#18 0x805f409 in startup_children ()
#19 0x805fa36 in standalone_main ()
#20 0x80601c3 in main ()
#21 0x400ba9cb in __libc_start_main (main=0x805fe7c <main>, argc=2, argv=0xbffffa14, init=0x804e870 <_init>,
    fini=0x809419c <_fini>, rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffffa0c)
    at ../sysdeps/generic/libc-start.c:92

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-10-02 19:31 UTC] edink at proventum dot net
Still does not work with the newest release. But I have some more info. The table that I'm trying to get the data from has the following structure:

Column Name                    Null?    Type
------------------------------ -------- ----
ID                             NOT NULL NUMBER(20)
NAME                                    VARCHAR2(60)
PARENT_ID                               NUMBER(20)
IS_LEAF                                 VARCHAR2(1)
CAT_NO                                  NUMBER(5)
TREE_LEVEL                              NUMBER(2)
CATNO_PATH                              VARCHAR2(100)
NAME_PATH                               VARCHAR2(350)
ID_PATH                                 VARCHAR2(100)
CAT_COMMENT                             CLOB(4000)
RESL_COMMENT                            CLOB(4000)
SORTNUM                                 NUMBER(10)

Now the crach occurs when while doing (after parsing select * from category where parent_id=2:

$res=@ociFetchInto($STMT, $a, OCI_ASSOC+OCI_RETURN_NULLS+OCI_RETURN_LOBS);

It only crashes when the OCI_RETURN_LOBS flag is set. Works fine otherwise. The wierd part is that it only crashes for some IDs and not for others. The backtrace that I get when run against the latest cvs (2000-10-02) is:

Program received signal SIGSEGV, Segmentation fault.
0x2ac8136b in do_end_function_declaration (function_token=0x2ae2b8d4)
    at zend_compile.c:771
771             CG(active_op_array) = function_token->u.op_array;
#0  0x2ac8136b in do_end_function_declaration (function_token=0x2ae2b8d4)
    at zend_compile.c:771
#1  0x2ad2c494 in yy_state_buf () from /data/ebizzext/apache/libexec/libphp4.so
#2  0x2aca4e42 in add_assoc_unset (arg=0x8170ce4, key=0x2ad2c494 "?\203\f")
    at zend_API.c:246
#3  0x2ac9e21b in get_binary_op (opcode=136069104) at zend_opcode.c:397
#4  0x2aca92a4 in zend_if_strncmp (ht=136314156, return_value=0x2ad2c494,
    this_ptr=0x81b08b8, return_value_used=2147473912)
    at zend_builtin_functions.c:257
#5  0x2aca4e5f in add_assoc_unset (arg=0x81b1504, key=0x2ad2c494 "?\203\f")
    at zend_API.c:247
#6  0x2ac9e21b in get_binary_op (opcode=135989432) at zend_opcode.c:397
#7  0x2aca9344 in zend_if_strncmp (ht=135559724, return_value=0x7fffda20,
    this_ptr=0x817cf5c, return_value_used=0) at zend_builtin_functions.c:258
#8  0x2ac93f72 in execute (op_array=0x81780b4) at ./zend_execute.c:329
#9  0x2aca60b0 in add_property_stringl (arg=0x8,
    key=0x3 <Address 0x3 out of bounds>, str=0x0, length=2147481588,
    duplicate=0) at zend_API.c:682
#10 0x2acb5191 in yyunput (c=2147481588, yy_bp=0x2ad2c494 "?\203\f")
    at configuration-scanner.c:1297
#11 0x2acb1d39 in php_error_cb (type=135468092, error_filename=0x0,
    error_lineno=135468092,
    format=0x813143c "\024\024\023\b\004\004\023\b?4\021\b", args=0x2ad16f1c)
    at main.c:390
#12 0x2acb260b in php_module_startup (sf=0x813143c) at main.c:773
#13 0x2acb263c in php_module_startup (sf=0x813143c) at main.c:810
#14 0x8054313 in ap_invoke_handler ()
#15 0x8067849 in ap_some_auth_required ()
#16 0x80678ac in ap_process_request ()
#17 0x805f14e in ap_child_terminate ()  
#18 0x805f2dc in ap_child_terminate ()
#19 0x805f439 in ap_child_terminate ()
#20 0x805fa66 in ap_child_terminate ()
#21 0x80601f3 in main ()
#22 0x2ab3f9cb in __libc_start_main (main=0x805feac <main>, argc=2,
    argv=0x7ffff9b4, init=0x804e894 <_init>, fini=0x80941cc <_fini>,
    rtld_fini=0x2aab5e60 <_dl_fini>, stack_end=0x7ffff9ac)
    at ../sysdeps/generic/libc-start.c:92 

 [2000-10-19 15:22 UTC] edink at proventum dot net
Fixed in 4.0.3
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Sep 20 08:01:27 2019 UTC