PHP :: Bug #66762 :: Segfault in mysqli_stmt::bind

Bug #66762	Segfault in mysqli_stmt::bind_result() when link closed
Submitted:	2014-02-24 15:05 UTC	Modified:	2014-02-25 09:08 UTC
From:	remi@php.net	Assigned:	remi (profile)
Status:	Closed	Package:	MySQLi related
PHP Version:	5.4.25	OS:	GNU/Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2014-02-24 15:05 UTC] remi@php.net

Description:
------------
Trying to use a Mysqli_Stmt object after the Mysql object is clean result in segfault.

Notice: only with libmysqlclient (no segfault with mysqlnd).

I haven't find a simple solution to check if the link oject is still valid from the stmt object...


Test script:
---------------
$mysqli = new mysqli($host, $user, $pass, $db);
$read_stmt = $mysqli->prepare("SELECT 1");
$mysqli = null;
$read_stmt->bind_result($data);

Expected result:
----------------
no segfault.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

(gdb) bt
#0  0x00007ffff7aedf3c in mysql_stmt_bind_result () from /usr/lib64/mysql/libmysqlclient.so.18
#1  0x0000000000474b59 in mysqli_stmt_bind_result_do_bind (start=0, argc=<optimized out>, args=0x7ffff7ab7cb8, stmt=0x7ffff7ab7560)
    at /tmp/php-5.5.9/ext/mysqli/mysqli_api.c:430
#2  zif_mysqli_stmt_bind_result (ht=<optimized out>, return_value=0x7ffff7ab8dd8, return_value_ptr=<optimized out>, this_ptr=<optimized out>, 
    return_value_used=<optimized out>) at /tmp/php-5.5.9/ext/mysqli/mysqli_api.c:509
#3  0x000000000062667a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7a81260) at /tmp/php-5.5.9/Zend/zend_vm_execute.h:550
#4  0x00000000005a2b38 in execute_ex (execute_data=0x7ffff7a81260) at /tmp/php-5.5.9/Zend/zend_vm_execute.h:363
#5  0x000000000057c14d in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /tmp/php-5.5.9/Zend/zend.c:1316
#6  0x000000000051dae2 in php_execute_script (primary_file=primary_file@entry=0x7fffffffc8b0) at /tmp/php-5.5.9/main/main.c:2506
#7  0x0000000000628734 in do_cli (argc=2, argv=0x9be8b0) at /tmp/php-5.5.9/sapi/cli/php_cli.c:994
#8  0x000000000041a107 in main (argc=2, argv=0x9be8b0) at /tmp/php-5.5.9/sapi/cli/php_cli.c:1378
(gdb) 
#0  0x00007ffff7aedf3c in mysql_stmt_bind_result () from /usr/lib64/mysql/libmysqlclient.so.18
#1  0x0000000000474b59 in mysqli_stmt_bind_result_do_bind (start=0, argc=<optimized out>, args=0x7ffff7ab7cb8, stmt=0x7ffff7ab7560)
    at /tmp/php-5.5.9/ext/mysqli/mysqli_api.c:430
#2  zif_mysqli_stmt_bind_result (ht=<optimized out>, return_value=0x7ffff7ab8dd8, return_value_ptr=<optimized out>, this_ptr=<optimized out>, 
    return_value_used=<optimized out>) at /tmp/php-5.5.9/ext/mysqli/mysqli_api.c:509
#3  0x000000000062667a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7a81260) at /tmp/php-5.5.9/Zend/zend_vm_execute.h:550
#4  0x00000000005a2b38 in execute_ex (execute_data=0x7ffff7a81260) at /tmp/php-5.5.9/Zend/zend_vm_execute.h:363
#5  0x000000000057c14d in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /tmp/php-5.5.9/Zend/zend.c:1316
#6  0x000000000051dae2 in php_execute_script (primary_file=primary_file@entry=0x7fffffffc8b0) at /tmp/php-5.5.9/main/main.c:2506
#7  0x0000000000628734 in do_cli (argc=2, argv=0x9be8b0) at /tmp/php-5.5.9/sapi/cli/php_cli.c:994
#8  0x000000000041a107 in main (argc=2, argv=0x9be8b0) at /tmp/php-5.5.9/sapi/cli/php_cli.c:1378

Patches

mysqli-protect-link.patch (last revision 2014-02-25 07:44 UTC by remi@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-02-24 16:35 UTC] remi@php.net

The following patch has been added/updated:

Patch Name: mysqli-protect-link.patch
Revision:   1393259740
URL:        https://bugs.php.net/patch-display.php?bug=66762&patch=mysqli-protect-link.patch&revision=1393259740

[2014-02-24 16:36 UTC] remi@php.net

The attached patch seems to be a workaround.

Each new statement increment link refcount, so the link will be really destroyed after all statements.

[2014-02-24 17:35 UTC] remi@php.net

-Assigned To: +Assigned To: andrey

[2014-02-24 17:35 UTC] remi@php.net

@Andrey, can you please review this patch ?

[2014-02-24 18:21 UTC] remi@php.net

The following patch has been added/updated:

Patch Name: mysqli-protect-link.patch
Revision:   1393266074
URL:        https://bugs.php.net/patch-display.php?bug=66762&patch=mysqli-protect-link.patch&revision=1393266074

[2014-02-24 18:27 UTC] remi@php.net

As the link is already protected by a internal refcount in mysqlnd, the new patch implement this refcount only when build with libmysqlclient.

[2014-02-25 07:32 UTC] remi@php.net

The following patch has been added/updated:

Patch Name: mysqli-protect-link.patch
Revision:   1393313566
URL:        https://bugs.php.net/patch-display.php?bug=66762&patch=mysqli-protect-link.patch&revision=1393313566

[2014-02-25 07:44 UTC] remi@php.net

The following patch has been added/updated:

Patch Name: mysqli-protect-link.patch
Revision:   1393314266
URL:        https://bugs.php.net/patch-display.php?bug=66762&patch=mysqli-protect-link.patch&revision=1393314266

[2014-02-25 09:08 UTC] remi@php.net

-Assigned To: andrey +Assigned To: remi

[2014-02-25 09:08 UTC] remi@php.net

I will apply this patch in 5.4+ in a few days (so for 5.4.27/5.5.11)

[2014-02-27 07:50 UTC] remi@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9137acc7ecdf1542fe6fda5056a0273359682735
Log: Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed

[2014-02-27 07:50 UTC] remi@php.net

-Status: Assigned +Status: Closed

[2014-02-28 20:06 UTC] ab@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9137acc7ecdf1542fe6fda5056a0273359682735
Log: Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed

[2014-02-28 20:11 UTC] ab@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9137acc7ecdf1542fe6fda5056a0273359682735
Log: Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed

[2014-04-10 04:47 UTC] tyrael@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9137acc7ecdf1542fe6fda5056a0273359682735
Log: Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed

[2014-10-07 23:16 UTC] stas@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=9137acc7ecdf1542fe6fda5056a0273359682735
Log: Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed

[2014-10-07 23:27 UTC] stas@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=9137acc7ecdf1542fe6fda5056a0273359682735
Log: Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 09:01:28 2024 UTC