php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66311 Stack smashing protection kills PDO/ODBC queries
Submitted: 2013-12-17 20:06 UTC Modified: 2013-12-22 11:43 UTC
From: michael at orlitzky dot com Assigned: felipe
Status: Closed Package: ODBC related
PHP Version: master-Git-2013-12-17 (Git) OS: Gentoo Linux
Private report: No CVE-ID:
 [2013-12-17 20:06 UTC] michael at orlitzky dot com
Description:
------------
The background and test code for the issue can be found at,

  https://bugs.gentoo.org/show_bug.cgi?id=491100

In ext/pdo_odbc/odbc_stmt.c, there is a function odbc_stmt_describe which declares variables,

  SDWORD colsize, displaysize;

Later the displaysize variable is filled via a call to SQLColAttribute:

  rc = SQLColAttribute(S->stmt, colno+1,
                       SQL_DESC_DISPLAY_SIZE,
                       NULL, 0, NULL, &displaysize);

According to /usr/include/sqlucode.h, the final parameter to SQLColAttribute should be of type SQLLEN instead of SDWORD. When displaysize's value is finally used,

  colsize = displaysize;
  col->maxlen = S->cols[colno].datalen = colsize;

The stack smashing protection kicks in due to the mismatched types, and the program segfaults. Replacing the SDWORD type with SQLLEN avoids the issue (although there are other type warnings in the same file).


Patches

0001-Change-a-variable-s-type-from-SDWORD-to-SQLLEN-to-av.patch (last revision 2013-12-17 20:07 UTC) by michael at orlitzky dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-12-17 20:13 UTC] aharvey@php.net
-Package: PDO related +Package: ODBC related
 [2013-12-22 11:43 UTC] felipe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2013-12-22 11:43 UTC] felipe@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2013-12-23 11:48 UTC] ab@php.net
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=aaca4ede153f9cf26277164d14f3499f76d0e69d
Log: - Fixed bug #66311 (Stack smashing protection kills PDO/ODBC queries) patch by: michael at orlitzky dot com
 [2013-12-23 22:43 UTC] ab@php.net
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a05611358606ca21672c49d26c77b7b0c81cab07
Log: - Fixed bug #66311 (Stack smashing protection kills PDO/ODBC queries) patch by: michael at orlitzky dot com
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 03:02:42 2014 UTC