PHP :: Bug #72862 :: segfault using prepared statements on stored procedures that use a cursor

Bug #72862

segfault using prepared statements on stored procedures that use a cursor

Submitted:

2016-08-17 04:19 UTC

Modified:

2020-12-18 09:27 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

nuke48386 at yahoo dot com

Assigned:

nikic (profile)

Status:

Closed

Package:

MySQLi related

PHP Version:

5.6.24

OS:

Debian Wheezy i686

Private report:

CVE-ID:

None

View Developer Edit

[2016-08-17 04:19 UTC] nuke48386 at yahoo dot com

Description:
------------
A prepared statement that calls a stored procedure that uses a cursor causes the PHP process to segfault.
The issue is in the mysqlnd module.


Test script:
---------------
I have posted an SQL file for creating a test database and stored procedure,
and a PHP script that together can reproduce the bug.
Together they are more than 20 lines, so they can be found in
the issue I opened with the folks at DotDeb:
https://github.com/gplessis/dotdeb-php/issues/145

Actual result:
--------------
backtrace:
Starting program: /usr/bin/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
mysqlnd_fetch_stmt_row_cursor (result=0xb7621088, param=0xb7621a64, flags=2, fetched_anything=0xbfffba3f "\267\364/3\267\210\020b\267")
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_ps.c:1022
1022    /usr/src/builddir/ext/mysqlnd/mysqlnd_ps.c: No such file or directory.
#0  mysqlnd_fetch_stmt_row_cursor (result=0xb7621088, param=0xb7621a64, flags=2, fetched_anything=0xbfffba3f "\267\364/3\267\210\020b\267")
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_ps.c:1022
#1  0xb73148d5 in php_mysqlnd_res_fetch_row_pub (result=0xb7621088, param=0xb7621a64, flags=2, fetched_anything=0xbfffba3f "\267\364/3\267\210\020b\267")
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_result.c:1352
#2  0xb73173a6 in php_mysqlnd_res_fetch_into_pub (result=0xb7621088, flags=2, return_value=0xb7621a64, extension=MYSQLND_MYSQLI)
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_result.c:1823
#3  0xb73171c5 in php_mysqlnd_res_fetch_all_pub (result=0xb7621088, flags=2, return_value=0xb7621a48) at /usr/src/builddir/ext/mysqlnd/mysqlnd_result.c:1893
#4  0xb67c6132 in zif_mysqli_fetch_all (ht=0, return_value=0xb7621a48, return_value_ptr=0xb76041a0, this_ptr=0xb761edb0, return_value_used=1)
    at /usr/src/builddir/ext/mysqli/mysqli_nonapi.c:385
#5  0x0842d376 in execute_internal (execute_data_ptr=execute_data_ptr@entry=0xb76042bc, fci=fci@entry=0x0, return_value_used=return_value_used@entry=1)
    at /usr/src/builddir/Zend/zend_execute.c:1527
#6  0x08371493 in dtrace_execute_internal (execute_data_ptr=0xb76042bc, fci=0x0, return_value_used=1) at /usr/src/builddir/Zend/zend_dtrace.c:97
#7  0x0842f9e7 in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_vm_execute.h:560
#8  0x083f15e7 in execute_ex (execute_data=execute_data@entry=0xb76042bc) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#9  0x08371359 in dtrace_execute_ex (execute_data=0xb76042bc) at /usr/src/builddir/Zend/zend_dtrace.c:73
#10 0x0842f162 in zend_execute (op_array=0xb761e5a4) at /usr/src/builddir/Zend/zend_vm_execute.h:388
#11 zend_execute (op_array=0xb761e5a4) at /usr/src/builddir/Zend/zend_vm_execute.h:383
#12 0x08384906 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/builddir/Zend/zend.c:1341
#13 0x08319dae in php_execute_script (primary_file=primary_file@entry=0xbfffdf78) at /usr/src/builddir/main/main.c:2613
#14 0x08433379 in do_cli (argc=-1073750152, argc@entry=2, argv=0x7, argv@entry=0x89a0d88) at /usr/src/builddir/sapi/cli/php_cli.c:994
#15 0x080a5f43 in main (argc=2, argv=0x89a0d88) at /usr/src/builddir/sapi/cli/php_cli.c:1378
A debugging session is active.

        Inferior 1 [process 4588] will be killed.

Quit anyway? (y or n)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-30 11:53 UTC] richard dot fussenegger at trivago dot com

Possible duplicate of https://bugs.php.net/bug.php?id=72413

[2020-12-18 09:27 UTC] nikic@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic

[2020-12-18 09:27 UTC] nikic@php.net

This should be fixed by https://github.com/php/php-src/commit/bc166844e37a6e1531a18dc0916fbe508152fc6c.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC