php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70565 PDO DBLIB MSSql Segmentaion Fault with Prepared Statements
Submitted: 2015-09-23 20:00 UTC Modified: 2016-09-13 13:50 UTC
Votes:6
Avg. Score:4.3 ± 0.9
Reproduced:4 of 5 (80.0%)
Same Version:3 (75.0%)
Same OS:1 (25.0%)
From: reyad dot attiyat at gmail dot com Assigned:
Status: Closed Package: PDO DBlib
PHP Version: 7.0Git-2015-09-23 (Git) OS: Windows 7
Private report: No CVE-ID: None
 [2015-09-23 20:00 UTC] reyad dot attiyat at gmail dot com
Description:
------------
I'm using the latest version of PHP7 master from git compiled on Windows 7 with Visual Studios 2015. The database is MS SQL Server 2014.

I have compiled FreeTDS and the pdo_dblib support, which works fine except, after several executions of a prepared insert statement (that may contain UTF-8 characters) a segmentation fault or corrupted SQL query occurs.

The error seems to be only reproducible when sending UTF-8 characters.

After stepping through the application I have noticed in the file:
https://github.com/php/php-src/blob/master/ext/pdo_dblib/dblib_driver.c
in function:
dblib_handle_quoter()
The quoted string allocation uses emalloc(). This seems to randomly return a pointer to a previously allocated quoted string. This has caused both corrupted queries and segmentation faults. 
I checked out the code for the other pdo drivers and they use safe_emalloc() when allocating quoted strings. When I changed the dblib_handle_quoter() function to use safe_emalloc() instead of emalloc() the problem goes away.

Test Script:
https://gist.github.com/soda0289/d99fc7e82db8443c7058




Patches

fix_pdo_dblib.patch (last revision 2015-09-23 20:00 UTC by reyad dot attiyat at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-23 20:07 UTC] reyad dot attiyat at gmail dot com
Might be related to BUG #67495
 [2015-09-23 20:17 UTC] reyad dot attiyat at gmail dot com
Also noticed in PHP 5.16 code they use safe_emalloc() in the dblib_handle_quoter() function.
https://github.com/php/php-src/blob/PHP-5.6.14/ext/pdo_dblib/dblib_driver.c
 [2015-09-24 14:16 UTC] reyad dot attiyat at gmail dot com
I have changed the test script to not use utf-8 chars but instead just pass a 0 and same segmentation fault occurs during allocation.

Backtrace:
	php7ts.dll!_emalloc(unsigned __int64 size) Line 2414	C
 	php7ts.dll!dblib_handle_quoter(_pdo_dbh_t * dbh, const char * unquoted, unsigned __int64 unquotedlen, char * * quoted, unsigned __int64 * quotedlen, pdo_param_type paramtype) Line 184	C
 	php7ts.dll!pdo_parse_params(_pdo_stmt_t * stmt, char * inquery, unsigned __int64 inquery_len, char * * outquery, unsigned __int64 * outquery_len) Line 263	C
 	php7ts.dll!zim_PDOStatement_execute(_zend_execute_data * execute_data, _zval_struct * return_value) Line 495	C
 	php7ts.dll!ZEND_DO_FCALL_SPEC_HANDLER(_zend_execute_data * execute_data) Line 850	C
 	php7ts.dll!execute_ex(_zend_execute_data * ex) Line 413	C
 	php7ts.dll!zend_execute(_zend_op_array * op_array, _zval_struct * return_value) Line 455	C
 	php7ts.dll!zend_execute_scripts(int type, _zval_struct * retval, int file_count, ...) Line 1429	C
 	php7ts.dll!php_execute_script(_zend_file_handle * primary_file) Line 2471	C
 	php.exe!do_cli(int argc, char * * argv) Line 972	C
 	php.exe!main(int argc, char * * argv) Line 1342	C
 [2015-11-17 14:29 UTC] phofstetter at sensational dot ch
I can confirm that this problem also exists on OSX with FreeTDS 0.95.21 and I can also confirm that the attached patch solves the crash.

Also, the backtraces in lldb are all over the place depending on how the PHP code looks, but the crash is always in emalloc().
 [2015-11-19 20:18 UTC] maxiwheat at gmail dot com
We have the same issue here. The code works perfectly with PHP 5.6 but in PHP 7 it breaks. What do something like that :

- Create PDO object
- Make a prepared statement (EXEC a Stored Proc with 16 parameters)
- Bind params with ->bindValue
- Execute (returns data correctly)
- Make an other prepared statement (EXEC same Stored Proc, I know I could reuse the same statement, but I've been able to produce this bug that way)
- Bind params with ->bindValue
- Execute (it crashes, sometimes segfault, sometimes the query gets truncated and fails on SQL Server)

The provided patch fix this bug
 [2015-11-19 23:44 UTC] maxiwheat at gmail dot com
Well, I wrote too fast, we're still having issues with this, even with the patch :-/
 [2016-04-29 13:34 UTC] phofstetter at sensational dot ch
This is very likely a duplicate of #71943 which is fixed in 7.0.6
 [2016-09-12 21:26 UTC] adambaratz@php.net
-Status: Open +Status: Duplicate
 [2016-09-12 21:26 UTC] adambaratz@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

Yes, this was fixed with #71943.
 [2016-09-13 13:50 UTC] reyad dot attiyat at gmail dot com
-Status: Duplicate +Status: Closed
 [2016-09-13 13:50 UTC] reyad dot attiyat at gmail dot com
I have not tested the fix mentioned but am closing the bug to keep the bug list clean.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Apr 20 02:01:24 2019 UTC