PHP :: Bug #73800 :: Sporadic segfault in mysqlnd with MYSQLI_OPT_INT_AND_FLOAT

Bug #73800

Sporadic segfault in mysqlnd with MYSQLI_OPT_INT_AND_FLOAT_NATIVE enabled

Submitted:

2016-12-21 15:14 UTC

Modified:

2017-01-08 17:17 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

php at vanviegen dot net

Assigned:

krakjoe (profile)

Status:

Closed

Package:

MySQLi related

PHP Version:

7.0.14

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2016-12-21 15:14 UTC] php at vanviegen dot net

Description:
------------
The segfault happens sporadically, usually when reading large amounts of data. The backtrace is instructive:

#0  php_mysqlnd_rowp_read_text_protocol_aux (row_buffer=<optimized out>, 
    fields=<optimized out>, field_count=<optimized out>, fields_metadata=0x7fa0dd9c5e20, 
    as_int_or_float=1 '\001', stats=0x7fa0dd95c460)
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_wireprotocol.c:1674
#1  0x00007fa0d97a6239 in php_mysqlnd_result_buffered_zval_fetch_row_pub (
    result=<optimized out>, param=0x7fa0d9c146b0, flags=2, 
    fetched_anything=0x7ffebc5139a7 "")
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_result.c:1078
#2  0x00007fa0d97a6705 in php_mysqlnd_res_fetch_into_pub (result=0x7fa0dd9c4500, flags=2, 
    return_value=0x7fa0d9c146b0, extension=MYSQLND_MYSQLI)
    at /usr/src/builddir/ext/mysqlnd/mysqlnd_result.c:1727
#3  0x00007fa0cfd044e7 in php_mysqli_fetch_into_hash (execute_data=0x7ffebc5138e0, 
    return_value=0x7fa0d9c146b0, override_flags=0, into_object=0)
    at /usr/src/builddir/ext/mysqli/mysqli.c:1275
#4  0x00007fa0dc0b7726 in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /usr/src/builddir/Zend/zend_vm_execute.h:842
[...]

Which resolves to the second line of this code fragment of ext/mysqlnd/mysqlnd_wireprotocol.c: 

            if (as_int_or_float && perm_bind.php_type == IS_LONG) {
                zend_uchar save = *(p + len);
                /* We have to make it ASCIIZ temporarily */
                *(p + len) = '\0';

So when a row ends with a long (or a float), this writes past the end of the row_buffer. As the old value is restored later on in this function, this is usually not a problem. Unless of course it happens to access unmapped address space.

Test script:
---------------
This bug seems rather impossible to reproduce deterministically, sorry!

Patches

mysqlnd-segfault-atoi.diff (last revision 2016-12-21 15:55 UTC by php at vanviegen dot net)

Pull Requests

Pull requests:

Fix for sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE (php-src/2250)
Fix for sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE (php-src/2249)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-01-08 17:17 UTC] krakjoe@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: krakjoe

[2017-01-08 17:17 UTC] krakjoe@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2017-02-27 21:47 UTC] nikic@php.net

Related To: Bug #74179

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 14:00:01 2025 UTC