php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed
Submitted: 2014-02-24 15:05 UTC Modified: 2014-02-25 09:08 UTC
From: remi@php.net Assigned: remi
Status: Closed Package: MySQLi related
PHP Version: 5.4.25 OS: GNU/Linux
Private report: No CVE-ID:
 [2014-02-24 15:05 UTC] remi@php.net
Description:
------------
Trying to use a Mysqli_Stmt object after the Mysql object is clean result in segfault.

Notice: only with libmysqlclient (no segfault with mysqlnd).

I haven't find a simple solution to check if the link oject is still valid from the stmt object...


Test script:
---------------
$mysqli = new mysqli($host, $user, $pass, $db);
$read_stmt = $mysqli->prepare("SELECT 1");
$mysqli = null;
$read_stmt->bind_result($data);

Expected result:
----------------
no segfault.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

(gdb) bt
#0  0x00007ffff7aedf3c in mysql_stmt_bind_result () from /usr/lib64/mysql/libmysqlclient.so.18
#1  0x0000000000474b59 in mysqli_stmt_bind_result_do_bind (start=0, argc=<optimized out>, args=0x7ffff7ab7cb8, stmt=0x7ffff7ab7560)
    at /tmp/php-5.5.9/ext/mysqli/mysqli_api.c:430
#2  zif_mysqli_stmt_bind_result (ht=<optimized out>, return_value=0x7ffff7ab8dd8, return_value_ptr=<optimized out>, this_ptr=<optimized out>, 
    return_value_used=<optimized out>) at /tmp/php-5.5.9/ext/mysqli/mysqli_api.c:509
#3  0x000000000062667a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7a81260) at /tmp/php-5.5.9/Zend/zend_vm_execute.h:550
#4  0x00000000005a2b38 in execute_ex (execute_data=0x7ffff7a81260) at /tmp/php-5.5.9/Zend/zend_vm_execute.h:363
#5  0x000000000057c14d in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /tmp/php-5.5.9/Zend/zend.c:1316
#6  0x000000000051dae2 in php_execute_script (primary_file=primary_file@entry=0x7fffffffc8b0) at /tmp/php-5.5.9/main/main.c:2506
#7  0x0000000000628734 in do_cli (argc=2, argv=0x9be8b0) at /tmp/php-5.5.9/sapi/cli/php_cli.c:994
#8  0x000000000041a107 in main (argc=2, argv=0x9be8b0) at /tmp/php-5.5.9/sapi/cli/php_cli.c:1378
(gdb) 
#0  0x00007ffff7aedf3c in mysql_stmt_bind_result () from /usr/lib64/mysql/libmysqlclient.so.18
#1  0x0000000000474b59 in mysqli_stmt_bind_result_do_bind (start=0, argc=<optimized out>, args=0x7ffff7ab7cb8, stmt=0x7ffff7ab7560)
    at /tmp/php-5.5.9/ext/mysqli/mysqli_api.c:430
#2  zif_mysqli_stmt_bind_result (ht=<optimized out>, return_value=0x7ffff7ab8dd8, return_value_ptr=<optimized out>, this_ptr=<optimized out>, 
    return_value_used=<optimized out>) at /tmp/php-5.5.9/ext/mysqli/mysqli_api.c:509
#3  0x000000000062667a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7a81260) at /tmp/php-5.5.9/Zend/zend_vm_execute.h:550
#4  0x00000000005a2b38 in execute_ex (execute_data=0x7ffff7a81260) at /tmp/php-5.5.9/Zend/zend_vm_execute.h:363
#5  0x000000000057c14d in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /tmp/php-5.5.9/Zend/zend.c:1316
#6  0x000000000051dae2 in php_execute_script (primary_file=primary_file@entry=0x7fffffffc8b0) at /tmp/php-5.5.9/main/main.c:2506
#7  0x0000000000628734 in do_cli (argc=2, argv=0x9be8b0) at /tmp/php-5.5.9/sapi/cli/php_cli.c:994
#8  0x000000000041a107 in main (argc=2, argv=0x9be8b0) at /tmp/php-5.5.9/sapi/cli/php_cli.c:1378


Patches

mysqli-protect-link.patch (last revision 2014-02-25 07:44 UTC) by remi@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-24 16:35 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: mysqli-protect-link.patch
Revision:   1393259740
URL:        https://bugs.php.net/patch-display.php?bug=66762&patch=mysqli-protect-link.patch&revision=1393259740
 [2014-02-24 16:36 UTC] remi@php.net
The attached patch seems to be a workaround.

Each new statement increment link refcount, so the link will be really destroyed after all statements.
 [2014-02-24 17:35 UTC] remi@php.net
-Assigned To: +Assigned To: andrey
 [2014-02-24 17:35 UTC] remi@php.net
@Andrey, can you please review this patch ?
 [2014-02-24 18:21 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: mysqli-protect-link.patch
Revision:   1393266074
URL:        https://bugs.php.net/patch-display.php?bug=66762&patch=mysqli-protect-link.patch&revision=1393266074
 [2014-02-24 18:27 UTC] remi@php.net
As the link is already protected by a internal refcount in mysqlnd, the new patch implement this refcount only when build with libmysqlclient.
 [2014-02-25 07:32 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: mysqli-protect-link.patch
Revision:   1393313566
URL:        https://bugs.php.net/patch-display.php?bug=66762&patch=mysqli-protect-link.patch&revision=1393313566
 [2014-02-25 07:44 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: mysqli-protect-link.patch
Revision:   1393314266
URL:        https://bugs.php.net/patch-display.php?bug=66762&patch=mysqli-protect-link.patch&revision=1393314266
 [2014-02-25 09:08 UTC] remi@php.net
-Assigned To: andrey +Assigned To: remi
 [2014-02-25 09:08 UTC] remi@php.net
I will apply this patch in 5.4+ in a few days (so for 5.4.27/5.5.11)
 [2014-02-27 07:50 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9137acc7ecdf1542fe6fda5056a0273359682735
Log: Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed
 [2014-02-27 07:50 UTC] remi@php.net
-Status: Assigned +Status: Closed
 [2014-02-28 20:06 UTC] ab@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9137acc7ecdf1542fe6fda5056a0273359682735
Log: Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed
 [2014-02-28 20:11 UTC] ab@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9137acc7ecdf1542fe6fda5056a0273359682735
Log: Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed
 [2014-04-10 04:47 UTC] tyrael@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9137acc7ecdf1542fe6fda5056a0273359682735
Log: Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed
 [2014-10-07 23:16 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=9137acc7ecdf1542fe6fda5056a0273359682735
Log: Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed
 [2014-10-07 23:27 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=9137acc7ecdf1542fe6fda5056a0273359682735
Log: Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed
 
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Fri Feb 27 16:02:41 2015 UTC