|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67465 NULL Pointer dereference in odbc_handle_preparer
Submitted: 2014-06-17 16:55 UTC Modified: -
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: martin dot koegler at brz dot gv dot at Assigned:
Status: Open Package: PDO ODBC
PHP Version: 5.5.13 OS: any
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: martin dot koegler at brz dot gv dot at
New email:
PHP Version: OS:


 [2014-06-17 16:55 UTC] martin dot koegler at brz dot gv dot at
If SQLSetStmtAttr fails in odbc_handle_preparer (file odbc_driver.c), pdo_odbc_stmt_error is called. At this time, stmt->driver_data is still NULL.

pdo_odbc_error then tries to store the error data to einfo of the not present stmt->driver_data => SIGSEGV.

Second issue is, that caller of odbc_handle_preparer expects the error in the error structure of the db connection handle.

Possible fix:
--- ext/pdo_odbc/odbc_driver.c.orig     2014-06-17 18:18:14.529836822 +0200
+++ ext/pdo_odbc/odbc_driver.c  2014-06-17 18:41:55.907685218 +0200
@@ -67,7 +67,7 @@
        pdo_odbc_stmt *S = NULL;
        pdo_error_type *pdo_err = &dbh->error_code;

-       if (stmt) {
+       if (stmt && stmt->driver_data) {
                S = (pdo_odbc_stmt*)stmt->driver_data;

                einfo = &S->einfo;
@@ -185,7 +185,7 @@
        if (cursor_type != PDO_CURSOR_FWDONLY) {
                rc = SQLSetStmtAttr(S->stmt, SQL_ATTR_CURSOR_SCROLLABLE, (void*)SQL_SCROLLABLE, 0);
                if (rc != SQL_SUCCESS && rc != SQL_SUCCESS_WITH_INFO) {
-                       pdo_odbc_stmt_error("SQLSetStmtAttr: SQL_ATTR_CURSOR_SCROLLABLE");
+                       pdo_odbc_error(stmt->dbh, stmt, S->stmt, "SQLSetStmtAttr: SQL_ATTR_CURSOR_SCROLLABLE", __FILE__, __LINE__ TSRMLS_CC);
                        SQLFreeHandle(SQL_HANDLE_STMT, S->stmt);
                        if (nsql) {


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Dec 13 12:01:26 2019 UTC