php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69757 Segmentation fault on nextRowset
Submitted: 2015-06-04 19:48 UTC Modified: 2015-10-18 09:43 UTC
Votes:6
Avg. Score:4.8 ± 0.4
Reproduced:6 of 6 (100.0%)
Same Version:1 (16.7%)
Same OS:4 (66.7%)
From: miracle at rpz dot name Assigned: ab
Status: Closed Package: PDO DBlib
PHP Version: 5.6.9 OS: Linux
Private report: No CVE-ID:
 [2015-06-04 19:48 UTC] miracle at rpz dot name
Description:
------------
php configured --with-pdo-dblib=shared,/usr

After fetch first (any) resultset PDOStatement::nextRowset() cause segmentation fault instead of return boolean result.

Segfault reproduced with php 5.4.41, 5.5.25, 5.6.9; freetds: 0.91, 0.95rc3


Test script:
---------------
<?php

if (!extension_loaded('pdo_dblib')) {
    die('skip not loaded');
}
require __DIR__ . '/config.inc';

$sql = "
EXEC sp_executesql N'
    SELECT 1 as first_rowset
    SELECT 2 as second_rowset
'
"; 
//$sql = 'SELECT 1 as first_rowset'; // same result: segfault
$stmt = $db->query($sql);

$resultset1 = $stmt->fetchAll(PDO::FETCH_ASSOC);
//var_dump($resultset1); // first_rowset => 1
$stmt->nextRowset(); //segfault here



Actual result:
--------------
Core was generated by `php pdo_dblib_next_rowset_segfault.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000067c6d8 in zend_mm_check_ptr (heap=0x1493b20, ptr=0x16f2308, silent=1, 
    __zend_filename=0x7f1e5d148c08 "/tmp/php-5.6.9/ext/pdo/pdo_stmt.c", __zend_lineno=2053, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /tmp/php-5.6.9/Zend/zend_alloc.c:1384
1384            if (p->info._size != ZEND_MM_NEXT_BLOCK(p)->info._prev) {
(gdb) bt
#0  0x000000000067c6d8 in zend_mm_check_ptr (heap=0x1493b20, ptr=0x16f2308, silent=1, 
    __zend_filename=0x7f1e5d148c08 "/tmp/php-5.6.9/ext/pdo/pdo_stmt.c", __zend_lineno=2053, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /tmp/php-5.6.9/Zend/zend_alloc.c:1384
#1  0x000000000067e2d2 in _zend_mm_free_int (heap=0x1493b20, p=0x16f2308, 
    __zend_filename=0x7f1e5d148c08 "/tmp/php-5.6.9/ext/pdo/pdo_stmt.c", __zend_lineno=2053, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /tmp/php-5.6.9/Zend/zend_alloc.c:2068
#2  0x000000000067f75c in _efree (ptr=0x16f2308, __zend_filename=0x7f1e5d148c08 "/tmp/php-5.6.9/ext/pdo/pdo_stmt.c", 
    __zend_lineno=2053, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /tmp/php-5.6.9/Zend/zend_alloc.c:2440
#3  0x00007f1e5d1441d7 in pdo_stmt_do_next_rowset (stmt=0x7f1e61a76ad0) at /tmp/php-5.6.9/ext/pdo/pdo_stmt.c:2053
#4  0x00007f1e5d144333 in zim_PDOStatement_nextRowset (ht=0, return_value=0x7f1e61a77960, return_value_ptr=0x7f1e64250200, 
    this_ptr=0x7f1e61a76c90, return_value_used=0) at /tmp/php-5.6.9/ext/pdo/pdo_stmt.c:2082
#5  0x00000000006fd188 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f1e642503b8)
    at /tmp/php-5.6.9/Zend/zend_vm_execute.h:558
#6  0x00000000006fd95c in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7f1e642503b8)
    at /tmp/php-5.6.9/Zend/zend_vm_execute.h:693
#7  0x00000000006fc7f1 in execute_ex (execute_data=0x7f1e642503b8) at /tmp/php-5.6.9/Zend/zend_vm_execute.h:363
#8  0x00000000006fc87a in zend_execute (op_array=0x7f1e6428cf30) at /tmp/php-5.6.9/Zend/zend_vm_execute.h:388
#9  0x00000000006b9058 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/php-5.6.9/Zend/zend.c:1341
#10 0x00000000006242af in php_execute_script (primary_file=0x7ffd72f96120) at /tmp/php-5.6.9/main/main.c:2597
#11 0x000000000076ad09 in do_cli (argc=2, argv=0x1493870) at /tmp/php-5.6.9/sapi/cli/php_cli.c:994
#12 0x000000000076be16 in main (argc=2, argv=0x1493870) at /tmp/php-5.6.9/sapi/cli/php_cli.c:1378

Patches

dblib_stmt_column_name_computed (last revision 2015-06-25 23:00 UTC) by miracle at rpz dot name)

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-25 22:52 UTC] miracle at rpz dot name
--- orig/ext/pdo_dblib/dblib_stmt.c        2015-05-14 02:13:33.000000000 +0300
+++ fixes/ext/pdo_dblib/dblib_stmt.c       2015-06-26 01:45:16.392471563 +0300
@@ -204,7 +204,15 @@
 
        struct pdo_column_data *col = &stmt->columns[colno];
 
-       col->name = (char*)dbcolname(H->link, colno+1);
+        char *fname = (char*)dbcolname(H->link, colno+1);
+        char computed_buf[16];
+        if (*fname) {
+            col->name = estrdup(fname);
+        } else {
+            snprintf(computed_buf,16,"computed%d", colno);
+            col->name = estrdup(computed_buf);
+        }
+        
        col->maxlen = dbcollen(H->link, colno+1);
        col->namelen = strlen(col->name);
        col->param_type = PDO_PARAM_STR;


Correct whether such a "patch" ?
 [2015-07-07 18:23 UTC] miracle+php at rpz dot name
Duplicate for #67130
 [2015-10-18 09:43 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2015-10-18 09:43 UTC] ab@php.net
PR 1386 was merged into 5.6 and up.

Thanks.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 30 01:01:34 2017 UTC