php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70861 Segmentation fault in pdo_parse_params() during Drupal 8 test suite
Submitted: 2015-11-05 13:02 UTC Modified: -
From: fabian at tag1consulting dot com Assigned:
Status: Closed Package: PostgreSQL related
PHP Version: 7.0Git-2015-11-05 (Git) OS: Linux / Ubuntu
Private report: No CVE-ID:
 [2015-11-05 13:02 UTC] fabian at tag1consulting dot com
Description:
------------
Reproducible with Drupal 8 test suite on PHP-7.0 branch with --with-pdo-pgsql.

Just running tests creates the bug.

Test script:
---------------
1. Install Drupal 8
2. Setup LAMP to localhost
3. Run:

php ./core/scripts/run-tests.sh --sqlite /tmp/coretest.sqlite --dburl pgsql://USER:PASS@localhost/drupal8  --color --non-html --url http://127.0.0.1/ --class 'Drupal\ban\Tests\Migrate\d7\MigrateBlockedIPsTest'

Expected result:
----------------
No segfault

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000757495 in pdo_parse_params (stmt=0x7fffe79cde00, 
    inquery=0x7fffec063400 "INSERT INTO simpletest6174100actions (aid, type, callback, parameters, label) VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2, :db_insert_placeholder_3, :db_insert"..., inquery_len=1717, outquery=0x7fffe79cde68, outquery_len=0x7fffe79cde70)
    at ext/pdo/pdo_sql_parser.re:220
220							if (!stmt->dbh->methods->quoter(stmt->dbh, ZSTR_VAL(buf), ZSTR_LEN(buf), &plc->quoted, &plc->qlen,
(gdb) bt
#0  0x0000000000757495 in pdo_parse_params (stmt=0x7fffe79cde00, 
    inquery=0x7fffec063400 "INSERT INTO simpletest6174100actions (aid, type, callback, parameters, label) VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2, :db_insert_placeholder_3, :db_insert"..., inquery_len=1717, outquery=0x7fffe79cde68, outquery_len=0x7fffe79cde70)
    at ext/pdo/pdo_sql_parser.re:220
#1  0x000000000074f5b0 in zim_PDOStatement_execute (execute_data=0x7fffef223160, return_value=0x7fffef2230e0)
    at /home/ubuntu/php7/php-src/ext/pdo/pdo_stmt.c:495
#2  0x00000000009d568a in ZEND_DO_FCALL_SPEC_HANDLER () at /home/ubuntu/php7/php-src/Zend/zend_vm_execute.h:842
#3  0x00000000009d453e in execute_ex (ex=0x7fffef214030) at /home/ubuntu/php7/php-src/Zend/zend_vm_execute.h:414
#4  0x00000000009d4650 in zend_execute (op_array=0x7fffef29b100, return_value=0x0) at /home/ubuntu/php7/php-src/Zend/zend_vm_execute.h:458
#5  0x0000000000979def in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/ubuntu/php7/php-src/Zend/zend.c:1428
#6  0x00000000008e764a in php_execute_script (primary_file=0x7fffffffd170) at /home/ubuntu/php7/php-src/main/main.c:2471
#7  0x0000000000a387bc in do_cli (argc=15, argv=0x135feb0) at /home/ubuntu/php7/php-src/sapi/cli/php_cli.c:974
#8  0x0000000000a39980 in main (argc=15, argv=0x135feb0) at /home/ubuntu/php7/php-src/sapi/cli/php_cli.c:1345


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-05 13:11 UTC] fabian at tag1consulting dot com
Provided laruence with a box where the bug can easily be reproduced as in the last case.
 [2015-11-05 13:50 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5c96a91d77727a7af5604cd9be29a53e3afa2619
Log: Fix bug #70861 Segmentation fault in pdo_parse_params() during Drupal 8 test suite
 [2015-11-05 13:50 UTC] ab@php.net
-Status: Open +Status: Closed
 [2015-11-05 17:18 UTC] fabian at tag1consulting dot com
Unfortunately while this fixed the crash, it did not fix a bug we had in the test suite in the caching layer.

Proposed fix:

https://github.com/php/php-src/pull/1619

It depends on under which circumstances php_stream_copy_to_mem() returns NULL - if that is the right fix.

However this is consistent with the ::LOB handling in ext/pdo/pdo_stmt.c.
 [2015-11-05 17:21 UTC] fabian at tag1consulting dot com
Oh and btw. to reproduce the problem (though not sure if the crash, too):

          $value = '';

          $blob = fopen('php://memory', 'a');
          fwrite($blob, $value);
          rewind($blob);

          $stmt->bindParam(':db_insert_placeholder_0' , $blob, \PDO::PARAM_LOB);
 [2015-11-05 22:10 UTC] fabian at tag1consulting dot com
https://github.com/php/php-src/pull/1619 fixed the follow-up bug reported here.

https://bugs.php.net/bug.php?id=70862 was the follow-up for other places having the same bug and is fixed as well.
 [2015-11-09 18:12 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=602e57e1c6c971e22b8da9d7518ead2b7f7a6f90
Log: Fix bug #70861 Segmentation fault in pdo_parse_params() during Drupal 8 test suite
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5c96a91d77727a7af5604cd9be29a53e3afa2619
Log: Fix bug #70861 Segmentation fault in pdo_parse_params() during Drupal 8 test suite
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Apr 29 07:01:45 2017 UTC