php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71049 SQLite3Stmt::execute() releases bound parameter instead of internal buffer
Submitted: 2015-12-07 12:33 UTC Modified: 2015-12-07 15:59 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: sustmidown at centrum dot cz Assigned: laruence (profile)
Status: Closed Package: SQLite related
PHP Version: 7.0.0 OS: Linux x86-64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sustmidown at centrum dot cz
New email:
PHP Version: OS:

 

 [2015-12-07 12:33 UTC] sustmidown at centrum dot cz
Description:
------------
In commit 352117b728cd3edb8b79c7ec4e45ae060224b6ad (https://github.com/php/php-src/commit/352117b728cd3edb8b79c7ec4e45ae060224b6ad) there was a change of condition which checked whether to call:
 zend_string_release(buffer);

from:
 if (stream) {

to:
 if (buffer) {

The problem is that buffer can point either to zend_string allocated in by php_stream_copy_to_mem() or to value of the bound parameter.

If the parameter is not a resource, buffer points to the value of the bound parameter and therefore it is released which later causes memory corruption and SIGSEGV - Segmentation fault.

With the supplied patch my test configuration runs OK. (I am sorry I cannot provide a test script, but its a bunch of unit tests run in PHP unit using SQLite as Doctrine metadata and DQL query cache.)

Expected result:
----------------
SQLite3Stmt::execute() should call zend_string_release() only on buffer containing result from php_stream_copy_to_mem().

Actual result:
--------------
SQLite3Stmt::execute() calls zend_string_release() on buffer containing Z_STR_P(parameter).

Patches

php-sqlite3-exec-bound-param-free-fix (last revision 2015-12-07 12:34 UTC by sustmidown at centrum dot cz)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-12-07 12:35 UTC] sustmidown at centrum dot cz
-Operating System: +Operating System: Linux x86-64
 [2015-12-07 12:35 UTC] sustmidown at centrum dot cz
EDIT: OS: Linux x86-64
 [2015-12-07 15:59 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 16:01:27 2024 UTC