|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71049 SQLite3Stmt::execute() releases bound parameter instead of internal buffer
Submitted: 2015-12-07 12:33 UTC Modified: 2015-12-07 15:59 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: sustmidown at centrum dot cz Assigned: laruence (profile)
Status: Closed Package: SQLite related
PHP Version: 7.0.0 OS: Linux x86-64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
25 + 27 = ?
Subscribe to this entry?

 [2015-12-07 12:33 UTC] sustmidown at centrum dot cz
In commit 352117b728cd3edb8b79c7ec4e45ae060224b6ad ( there was a change of condition which checked whether to call:

 if (stream) {

 if (buffer) {

The problem is that buffer can point either to zend_string allocated in by php_stream_copy_to_mem() or to value of the bound parameter.

If the parameter is not a resource, buffer points to the value of the bound parameter and therefore it is released which later causes memory corruption and SIGSEGV - Segmentation fault.

With the supplied patch my test configuration runs OK. (I am sorry I cannot provide a test script, but its a bunch of unit tests run in PHP unit using SQLite as Doctrine metadata and DQL query cache.)

Expected result:
SQLite3Stmt::execute() should call zend_string_release() only on buffer containing result from php_stream_copy_to_mem().

Actual result:
SQLite3Stmt::execute() calls zend_string_release() on buffer containing Z_STR_P(parameter).


php-sqlite3-exec-bound-param-free-fix (last revision 2015-12-07 12:34 UTC by sustmidown at centrum dot cz)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-12-07 12:35 UTC] sustmidown at centrum dot cz
-Operating System: +Operating System: Linux x86-64
 [2015-12-07 12:35 UTC] sustmidown at centrum dot cz
EDIT: OS: Linux x86-64
 [2015-12-07 15:59 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Apr 20 14:01:29 2024 UTC