php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69897 segfault when manually constructing SQLite3Result
Submitted: 2015-06-22 08:40 UTC Modified: 2015-06-22 09:13 UTC
From: sjon at hortensius dot net Assigned: kalle
Status: Closed Package: SQLite related
PHP Version: 7.0.0alpha1 OS: *
Private report: No CVE-ID:
 [2015-06-22 08:40 UTC] sjon at hortensius dot net
Description:
------------
SQLite3Result has a private constructor, calling it yields a correct error-message:

Fatal error: Uncaught EngineException: Call to private SQLite3Result::__construct() from invalid context in /in/G7TZg:3

But it also results in a segfault.

Test script:
---------------
From http://3v4l.org/G7TZg

<?php

$foo = new SQLite3Result();

Expected result:
----------------
Fatal error only

Actual result:
--------------
==19072== Invalid read of size 4
==19072==    at 0x4FAFC9: php_sqlite3_result_object_free_storage (sqlite3.c:2106)
==19072==    by 0x990233: zend_objects_store_free_object_storage (zend_objects_API.c:102)
==19072==    by 0x92DDDB: shutdown_executor (zend_execute_API.c:341)
==19072==    by 0x9462F3: zend_deactivate (zend.c:964)
==19072==    by 0x8B765C: php_request_shutdown (main.c:1814)
==19072==    by 0xA05233: do_cli (php_cli.c:1135)
==19072==    by 0xA0591B: main (php_cli.c:1334)
==19072==  Address 0x20 is not stack'd, malloc'd or (recently) free'd
==19072== 
==19072== 
==19072== Process terminating with default action of signal 11 (SIGSEGV)
==19072==  Access not within mapped region at address 0x20
==19072==    at 0x4FAFC9: php_sqlite3_result_object_free_storage (sqlite3.c:2106)
==19072==    by 0x990233: zend_objects_store_free_object_storage (zend_objects_API.c:102)
==19072==    by 0x92DDDB: shutdown_executor (zend_execute_API.c:341)
==19072==    by 0x9462F3: zend_deactivate (zend.c:964)
==19072==    by 0x8B765C: php_request_shutdown (main.c:1814)
==19072==    by 0xA05233: do_cli (php_cli.c:1135)
==19072==    by 0xA0591B: main (php_cli.c:1334)
==19072==  If you believe this happened as a result of a stack
==19072==  overflow in your program's main thread (unlikely but
==19072==  possible), you can try to increase the size of the
==19072==  main thread stack using the --main-stacksize= flag.
==19072==  The main thread stack size used in this run was 8388608.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-22 09:09 UTC] kalle@php.net
-Status: Open +Status: Verified -Operating System: archlinux +Operating System: *
 [2015-06-22 09:09 UTC] kalle@php.net
Confirmed on Windows too
 [2015-06-22 09:12 UTC] kalle@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da4c34f0e5957f4370a22bfcc0043efb1f59955
Log: Fixed bug #69897 (segfault when manually constructing SQLite3Result)
 [2015-06-22 09:12 UTC] kalle@php.net
-Status: Verified +Status: Closed
 [2015-06-22 09:13 UTC] kalle@php.net
-Assigned To: +Assigned To: kalle
 [2015-06-23 18:04 UTC] ab@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da4c34f0e5957f4370a22bfcc0043efb1f59955
Log: Fixed bug #69897 (segfault when manually constructing SQLite3Result)
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da4c34f0e5957f4370a22bfcc0043efb1f59955
Log: Fixed bug #69897 (segfault when manually constructing SQLite3Result)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Jul 25 22:01:35 2017 UTC