php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72788 Invalid memory access when using persistent PDO connection
Submitted: 2016-08-08 22:41 UTC Modified: 2016-08-08 22:41 UTC
From: keyur@php.net Assigned: keyur
Status: Closed Package: PDO Core
PHP Version: 7.0.9 OS: Linux
Private report: No CVE-ID:
 [2016-08-08 22:41 UTC] keyur@php.net
Description:
------------
Run the following script with Valgrind enabled and you'll see invalid memory accesses like so. These sometimes cause seg faults.

==18213== Invalid read of size 4
==18213==    at 0x628322: pdo_mysql_stmt_dtor (mysql_statement.c:91)
==18213==    by 0x624749: php_pdo_free_statement (pdo_stmt.c:2323)
==18213==    by 0x83AFB0: zend_objects_store_del (zend_objects_API.c:178)
==18213==    by 0x61C27F: pdo_dbh_attribute_set (pdo_dbh.c:805)
==18213==    by 0x61C932: zim_PDO_dbh_constructor (pdo_dbh.c:385)
==18213==    by 0x87D39A: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:842)
==18213==    by 0x83EDDA: execute_ex (zend_vm_execute.h:414)
==18213==    by 0x888EB6: zend_execute (zend_vm_execute.h:458)
==18213==    by 0x800092: zend_execute_scripts (zend.c:1427)
==18213==    by 0x7A15E7: php_execute_script (main.c:2494)
==18213==    by 0x88AB27: do_cli (php_cli.c:974)
==18213==    by 0x453E79: main (php_cli.c:1344)
==18213==  Address 0x27f4a9a0 is 16 bytes inside a block of size 48 free'd
==18213==    at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18213==    by 0x83ADC9: zend_objects_store_del (zend_objects_API.c:187)
==18213==    by 0x887782: UnknownInlinedFun (zend_execute.c:2067)
==18213==    by 0x887782: zend_leave_helper_SPEC (zend_vm_execute.h:470)
==18213==    by 0x83EDDA: execute_ex (zend_vm_execute.h:414)
==18213==    by 0x888EB6: zend_execute (zend_vm_execute.h:458)
==18213==    by 0x800092: zend_execute_scripts (zend.c:1427)
==18213==    by 0x7A15E7: php_execute_script (main.c:2494)
==18213==    by 0x88AB27: do_cli (php_cli.c:974)
==18213==    by 0x453E79: main (php_cli.c:1344)
==18213==
==18213== Invalid read of size 1
==18213==    at 0x628332: pdo_mysql_stmt_dtor (mysql_statement.c:92)
==18213==    by 0x624749: php_pdo_free_statement (pdo_stmt.c:2323)
==18213==    by 0x83AFB0: zend_objects_store_del (zend_objects_API.c:178)
==18213==    by 0x61C27F: pdo_dbh_attribute_set (pdo_dbh.c:805)
==18213==    by 0x61C932: zim_PDO_dbh_constructor (pdo_dbh.c:385)
==18213==    by 0x87D39A: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:842)
==18213==    by 0x83EDDA: execute_ex (zend_vm_execute.h:414)
==18213==    by 0x888EB6: zend_execute (zend_vm_execute.h:458)
==18213==    by 0x800092: zend_execute_scripts (zend.c:1427)
==18213==    by 0x7A15E7: php_execute_script (main.c:2494)
==18213==    by 0x88AB27: do_cli (php_cli.c:974)
==18213==    by 0x453E79: main (php_cli.c:1344)
==18213==  Address 0x27f4a99d is 13 bytes inside a block of size 48 free'd
==18213==    at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18213==    by 0x83ADC9: zend_objects_store_del (zend_objects_API.c:187)
==18213==    by 0x887782: UnknownInlinedFun (zend_execute.c:2067)
==18213==    by 0x887782: zend_leave_helper_SPEC (zend_vm_execute.h:470)
==18213==    by 0x83EDDA: execute_ex (zend_vm_execute.h:414)
==18213==    by 0x888EB6: zend_execute (zend_vm_execute.h:458)
==18213==    by 0x800092: zend_execute_scripts (zend.c:1427)
==18213==    by 0x7A15E7: php_execute_script (main.c:2494)
==18213==    by 0x88AB27: do_cli (php_cli.c:974)
==18213==    by 0x453E79: main (php_cli.c:1344)
==18213==
Statement failed
==18213== Invalid read of size 4
==18213==    at 0x628322: pdo_mysql_stmt_dtor (mysql_statement.c:91)
==18213==    by 0x624749: php_pdo_free_statement (pdo_stmt.c:2323)
==18213==    by 0x83ABE0: zend_objects_store_free_object_storage (zend_objects_API.c:99)
==18213==    by 0x7F0F12: shutdown_executor (zend_execute_API.c:357)
==18213==    by 0x7FFD37: zend_deactivate (zend.c:967)
==18213==    by 0x7A01C0: php_request_shutdown (main.c:1833)
==18213==    by 0x889CD7: do_cli (php_cli.c:1141)
==18213==    by 0x453E79: main (php_cli.c:1344)
==18213==  Address 0x27f50160 is 16 bytes inside a block of size 48 free'd
==18213==    at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18213==    by 0x83ADC9: zend_objects_store_del (zend_objects_API.c:187)
==18213==    by 0x887782: UnknownInlinedFun (zend_execute.c:2067)
==18213==    by 0x887782: zend_leave_helper_SPEC (zend_vm_execute.h:470)
==18213==    by 0x83EDDA: execute_ex (zend_vm_execute.h:414)
==18213==    by 0x888EB6: zend_execute (zend_vm_execute.h:458)
==18213==    by 0x800092: zend_execute_scripts (zend.c:1427)
==18213==    by 0x7A15E7: php_execute_script (main.c:2494)
==18213==    by 0x88AB27: do_cli (php_cli.c:974)
==18213==    by 0x453E79: main (php_cli.c:1344)

Test script:
---------------
<?php

function test1() {
    $dsn = "mysql:host=127.0.0.1;port=3306;dbname=test;";
    $user = "root";
    $attr = array(
                PDO::ATTR_TIMEOUT => 120,
                PDO::ATTR_PERSISTENT => true
            );

    $pdo = new PDO($dsn, $user, NULL, $attr);
    $stmt = $pdo->query("SELECT 1 FROM DOES_NOT_EXIST");
    if ($stmt === false) {
        echo "Statement failed\n";
    }
}

test1();
test1();


Expected result:
----------------
No segfaults


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-08 22:41 UTC] keyur@php.net
-Assigned To: +Assigned To: keyur
 [2016-08-09 03:33 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e52cb1858d70251812d76c49f526019d487aa762
Log: Fixed bug #72788 (Invalid memory access when using persistent PDO connection)
 [2016-08-09 03:33 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2016-10-17 10:10 UTC] bwoebi@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e52cb1858d70251812d76c49f526019d487aa762
Log: Fixed bug #72788 (Invalid memory access when using persistent PDO connection)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Feb 22 20:01:42 2017 UTC