php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73087 Memory corruption in bindParam
Submitted: 2016-09-15 07:58 UTC Modified: 2016-11-06 16:15 UTC
Votes:14
Avg. Score:4.2 ± 0.9
Reproduced:9 of 10 (90.0%)
Same Version:9 (100.0%)
Same OS:5 (55.6%)
From: dorin dot marcoci at gmail dot com Assigned: ab
Status: Closed Package: PDO Firebird
PHP Version: 7.0.10 OS: Debian 8.5
Private report: No CVE-ID:
 [2016-09-15 07:58 UTC] dorin dot marcoci at gmail dot com
Description:
------------
This bug is always reproductive by running script below.
PHP crashes with SIGSEGV and Nginx returns "Bad Gateway".

The problem seems to be in assigning UTF8 encoded string to BLOB param.
Crash happens on second statement, while fetchAll.

ENVIRONEMENT:

  Debian 8.5
  Firebird 2.5.4
  PHP-fpm 7.0.10
  Nginx 1.6.2

TABLE DDL:

SET SQL DIALECT 3;

CREATE TABLE TA_TEST (
    ID       DS_ID NOT NULL /* DS_ID = BIGINT */,
    NAME     DT_CHAR50U NOT NULL /* DT_CHAR50U = VARCHAR(50) */,
    CONTENT  DT_TEXTU NOT NULL /* DT_TEXTU = BLOB SUB_TYPE 1 SEGMENT SIZE 100 */
);

ALTER TABLE TA_TEST ADD CONSTRAINT PK_TA_TEST PRIMARY KEY (ID);

Test script:
---------------
<?php

$C = [
	'kind' => 'firebird',
	'host' => 'localhost',
	'port' => 3050,
	'base' => 'testbase',
	'charset' => 'utf8',
	'user' => 'SYSDBA',
	'password' => 'masterkey',
	'options' => [
		PDO::ATTR_PERSISTENT => TRUE,
		PDO::ATTR_CASE => PDO::CASE_LOWER,
		PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
		PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
	]

];

$S = $C['kind'].':host='.$C['host'].';port='.$C['port'].';dbname='.$C['base'].';charset='.$C['charset'];
$D = new PDO($S, $C['user'], $C['password'], $C['options']);

$Q = $D->prepare('insert into ta_test (id, name, content) values (next value for gs_id, :name, :content)');
for ($I = 0; $I < 100; $I++) {
	$Params = [
		'name' => utf8_encode(bin2hex(random_bytes(20))),
		'content' =>  utf8_encode(bin2hex(random_bytes(20)))
	];
	foreach ($Params as $Param => $Value)
		$Q->bindValue($Param, $Value);
	$Q->execute();
	$R = $Q->fetch();
	echo 'I:'.$I;
	print_r($R);
}

$E = $D->prepare('select first 100 id, name, content from ta_test');
$E->execute();
$T = $E->fetchAll();
print_r($T);

echo 'OK!';

Expected result:
----------------
Run without crashes

Actual result:
--------------
SIGSEGV, Memory corruption.
Please solve this annoying bug, it's a stopper for us.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-15 13:04 UTC] cmb@php.net
-Summary: Memory corruption in bindParam / utf8 +Summary: Memory corruption in bindParam
 [2016-09-15 13:04 UTC] cmb@php.net
The utf8_encode() is a no-op for hexadecimal strings, so this
doesn't appear to be UTF-8 related. This issue might be related to
bug #61183.
 [2016-09-15 15:40 UTC] dorin dot marcoci at gmail dot com
Strange, if I try without utf8_encode I get an error from Firebird Server:
Dynamic SQL Error SQL error code = -303 Malformed string
NAME, CONTENT have UTF8 charset and collate
Content are passed as raw bytes and server check if string is encoded properly.
But, in fact, a pure hex string should be considered valid utf8 string.
 [2016-09-16 17:23 UTC] cmb@php.net
I can reproduce the segfault on PHP 7.0 (with and without the
utf8_encode(), and even with string literals). This issue is
actually a duplicate of bug 61183. See there for further info.

However, there are also memory leaks caused by your supplied test
script, namely during executing/fetching the SELECT statement.
Thus I'm leaving this ticket open.
 [2016-11-06 16:15 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2016-11-06 16:15 UTC] ab@php.net
Fixed with https://github.com/php/php-src/pull/2183/

Thanks.
 [2017-02-04 19:31 UTC] riosjp885 at gmail dot com
i have try it on my android moto e with this php7.0 it keeps crashing my phone because i don't have enough memory space. so umms, what i am trying to do is to install it on my chromebook instead to work it out. how do i install it on my chromebook, is their a quickiest way to install this php7.0
 [2017-02-04 20:08 UTC] dorin dot marcoci at gmail dot com
riosjp885, what are you talking about?
Android phone with PHP and Firebird server running on it? ;)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Aug 20 17:01:35 2017 UTC