|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67465 NULL Pointer dereference in odbc_handle_preparer
Submitted: 2014-06-17 16:55 UTC Modified: 2020-09-28 15:07 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: martin dot koegler at brz dot gv dot at Assigned: cmb (profile)
Status: Closed Package: PDO ODBC
PHP Version: 5.5.13 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: martin dot koegler at brz dot gv dot at
New email:
PHP Version: OS:


 [2014-06-17 16:55 UTC] martin dot koegler at brz dot gv dot at
If SQLSetStmtAttr fails in odbc_handle_preparer (file odbc_driver.c), pdo_odbc_stmt_error is called. At this time, stmt->driver_data is still NULL.

pdo_odbc_error then tries to store the error data to einfo of the not present stmt->driver_data => SIGSEGV.

Second issue is, that caller of odbc_handle_preparer expects the error in the error structure of the db connection handle.

Possible fix:
--- ext/pdo_odbc/odbc_driver.c.orig     2014-06-17 18:18:14.529836822 +0200
+++ ext/pdo_odbc/odbc_driver.c  2014-06-17 18:41:55.907685218 +0200
@@ -67,7 +67,7 @@
        pdo_odbc_stmt *S = NULL;
        pdo_error_type *pdo_err = &dbh->error_code;

-       if (stmt) {
+       if (stmt && stmt->driver_data) {
                S = (pdo_odbc_stmt*)stmt->driver_data;

                einfo = &S->einfo;
@@ -185,7 +185,7 @@
        if (cursor_type != PDO_CURSOR_FWDONLY) {
                rc = SQLSetStmtAttr(S->stmt, SQL_ATTR_CURSOR_SCROLLABLE, (void*)SQL_SCROLLABLE, 0);
                if (rc != SQL_SUCCESS && rc != SQL_SUCCESS_WITH_INFO) {
-                       pdo_odbc_stmt_error("SQLSetStmtAttr: SQL_ATTR_CURSOR_SCROLLABLE");
+                       pdo_odbc_error(stmt->dbh, stmt, S->stmt, "SQLSetStmtAttr: SQL_ATTR_CURSOR_SCROLLABLE", __FILE__, __LINE__ TSRMLS_CC);
                        SQLFreeHandle(SQL_HANDLE_STMT, S->stmt);
                        if (nsql) {


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-09-28 15:07 UTC]
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-09-28 15:12 UTC]
The following pull request has been associated:

Patch Name: Fix #67465: NULL Pointer dereference in odbc_handle_preparer
On GitHub:
 [2020-09-28 21:00 UTC]
Automatic comment on behalf of
Log: Fix #67465: NULL Pointer dereference in odbc_handle_preparer
 [2020-09-28 21:00 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Oct 24 18:01:28 2020 UTC