|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72862 segfault using prepared statements on stored procedures that use a cursor
Submitted: 2016-08-17 04:19 UTC Modified: 2020-12-18 09:27 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: nuke48386 at yahoo dot com Assigned: nikic (profile)
Status: Closed Package: MySQLi related
PHP Version: 5.6.24 OS: Debian Wheezy i686
Private report: No CVE-ID: None
 [2016-08-17 04:19 UTC] nuke48386 at yahoo dot com
A prepared statement that calls a stored procedure that uses a cursor causes the PHP process to segfault.
The issue is in the mysqlnd module.

Test script:
I have posted an SQL file for creating a test database and stored procedure,
and a PHP script that together can reproduce the bug.
Together they are more than 20 lines, so they can be found in
the issue I opened with the folks at DotDeb:

Actual result:
Starting program: /usr/bin/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/".

Program received signal SIGSEGV, Segmentation fault.
mysqlnd_fetch_stmt_row_cursor (result=0xb7621088, param=0xb7621a64, flags=2, fetched_anything=0xbfffba3f "\267\364/3\267\210\020b\267")
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_ps.c:1022
1022    /usr/src/builddir/ext/mysqlnd/mysqlnd_ps.c: No such file or directory.
#0  mysqlnd_fetch_stmt_row_cursor (result=0xb7621088, param=0xb7621a64, flags=2, fetched_anything=0xbfffba3f "\267\364/3\267\210\020b\267")
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_ps.c:1022
#1  0xb73148d5 in php_mysqlnd_res_fetch_row_pub (result=0xb7621088, param=0xb7621a64, flags=2, fetched_anything=0xbfffba3f "\267\364/3\267\210\020b\267")
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_result.c:1352
#2  0xb73173a6 in php_mysqlnd_res_fetch_into_pub (result=0xb7621088, flags=2, return_value=0xb7621a64, extension=MYSQLND_MYSQLI)
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_result.c:1823
#3  0xb73171c5 in php_mysqlnd_res_fetch_all_pub (result=0xb7621088, flags=2, return_value=0xb7621a48) at /usr/src/builddir/ext/mysqlnd/mysqlnd_result.c:1893
#4  0xb67c6132 in zif_mysqli_fetch_all (ht=0, return_value=0xb7621a48, return_value_ptr=0xb76041a0, this_ptr=0xb761edb0, return_value_used=1)
    at /usr/src/builddir/ext/mysqli/mysqli_nonapi.c:385
#5  0x0842d376 in execute_internal (execute_data_ptr=execute_data_ptr@entry=0xb76042bc, fci=fci@entry=0x0, return_value_used=return_value_used@entry=1)
    at /usr/src/builddir/Zend/zend_execute.c:1527
#6  0x08371493 in dtrace_execute_internal (execute_data_ptr=0xb76042bc, fci=0x0, return_value_used=1) at /usr/src/builddir/Zend/zend_dtrace.c:97
#7  0x0842f9e7 in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_vm_execute.h:560
#8  0x083f15e7 in execute_ex (execute_data=execute_data@entry=0xb76042bc) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#9  0x08371359 in dtrace_execute_ex (execute_data=0xb76042bc) at /usr/src/builddir/Zend/zend_dtrace.c:73
#10 0x0842f162 in zend_execute (op_array=0xb761e5a4) at /usr/src/builddir/Zend/zend_vm_execute.h:388
#11 zend_execute (op_array=0xb761e5a4) at /usr/src/builddir/Zend/zend_vm_execute.h:383
#12 0x08384906 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/builddir/Zend/zend.c:1341
#13 0x08319dae in php_execute_script (primary_file=primary_file@entry=0xbfffdf78) at /usr/src/builddir/main/main.c:2613
#14 0x08433379 in do_cli (argc=-1073750152, argc@entry=2, argv=0x7, argv@entry=0x89a0d88) at /usr/src/builddir/sapi/cli/php_cli.c:994
#15 0x080a5f43 in main (argc=2, argv=0x89a0d88) at /usr/src/builddir/sapi/cli/php_cli.c:1378
A debugging session is active.

        Inferior 1 [process 4588] will be killed.

Quit anyway? (y or n)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-30 11:53 UTC] richard dot fussenegger at trivago dot com
Possible duplicate of
 [2020-12-18 09:27 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 17 02:01:28 2024 UTC