PHP :: Bug #74046 :: Segfault mysqli + libymsql + MySQL

Bug #74046

Segfault mysqli + libymsql + MySQL < 5.6 prepared statement fetch

Submitted:

2017-02-05 17:15 UTC

Modified:

2021-05-31 21:04 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

deeky666 at googlemail dot com

Assigned:

cmb (profile)

Status:

Wont fix

Package:

MySQLi related

PHP Version:

7.1.1

OS:

Ubuntu 16.04

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	deeky666 at googlemail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2017-02-05 17:15 UTC] deeky666 at googlemail dot com

Description:
------------
Environment:
- Ubuntu 16.04
- PHP 5.6 / 7.0 / 7.1 (all affected)
- mysqli (compiled against libmysql, error does not occur with mysqlnd)
- MySQL server < 5.6 (error does not occur since 5.6)

Trying to fetch the value of an expression like "DATE_ADD(NOW(), INTERVAL 1 SECOND)" using mysqli prepared statement results in a segmentation fault.

The "NOW()" expression part can be substituted by any other date related function or a datetime type column name, same result.

Using a string literal like "2017-01-01" for example does not result in an error.

Using "mysqli_query()" instead of a prepared statement works. Using "pdo_mysql" (libmysql) also works.

Test script:
---------------
$conn = new mysqli("host", "user", "password", "");
$query = "SELECT DATE_ADD(STR_TO_DATE('2017-01-01', '%Y-%m-%d'), INTERVAL 1 SECOND)";
$stmt = $conn->prepare($query);
$stmt->execute();
$stmt->bind_result($value);
var_dump($stmt->fetch());

Expected result:
----------------
string(19) "2017-01-01 00:00:01"

Actual result:
--------------
gdb backtrace:

#0  0x00007ffff3a0290d in ?? () from /usr/lib/x86_64-linux-gnu/libmysqlclient.so.20
#1  0x00007ffff39f18bf in ?? () from /usr/lib/x86_64-linux-gnu/libmysqlclient.so.20
#2  0x00007ffff39f1b28 in ?? () from /usr/lib/x86_64-linux-gnu/libmysqlclient.so.20
#3  0x00007ffff39f631e in mysql_stmt_fetch () from /usr/lib/x86_64-linux-gnu/libmysqlclient.so.20
#4  0x00007ffff359cf60 in mysqli_stmt_fetch_libmysql (execute_data=<optimized out>, return_value=0x7ffff4413140) at /tmp/php-7.1.0/ext/mysqli/mysqli_api.c:960
#5  0x00000000006e8efc in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /tmp/php-7.1.0/Zend/zend_vm_execute.h:1097
#6  0x0000000000690abb in execute_ex (ex=<optimized out>) at /tmp/php-7.1.0/Zend/zend_vm_execute.h:429
#7  0x00000000006eb340 in zend_execute (op_array=0x7ffff447f000, op_array@entry=0x7ffff4486260, return_value=return_value@entry=0x7ffff4413030)
    at /tmp/php-7.1.0/Zend/zend_vm_execute.h:474
#8  0x00000000006474e3 in zend_execute_scripts (type=type@entry=8, retval=0x7ffff4413030, retval@entry=0x0, file_count=file_count@entry=3) at /tmp/php-7.1.0/Zend/zend.c:1474
#9  0x00000000005e4470 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd190) at /tmp/php-7.1.0/main/main.c:2533
#10 0x00000000006ed5c6 in do_cli (argc=9, argv=0xe3b680) at /tmp/php-7.1.0/sapi/cli/php_cli.c:990
#11 0x0000000000428fec in main (argc=9, argv=0xe3b680) at /tmp/php-7.1.0/sapi/cli/php_cli.c:1378

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-02-05 17:19 UTC] deeky666 at googlemail dot com

-Package: Reproducible crash +Package: MySQLi related

[2017-02-05 17:19 UTC] deeky666 at googlemail dot com

Sorry the test script is wrong. The correct one should be:

$conn = new mysqli("host", "user", "password", "");
$query = "SELECT DATE_ADD(STR_TO_DATE('2017-01-01', '%Y-%m-%d'), INTERVAL 1 SECOND)";
$stmt = $conn->prepare($query);
$stmt->execute();
$stmt->bind_result($value);
$stmt->fetch();
var_dump($value);

[2021-05-31 21:04 UTC] cmb@php.net

-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb

[2021-05-31 21:04 UTC] cmb@php.net

This is likely an issue with the old MySQL version, and even if
not, won't be addressed by us.  Either use a somewhat recent MySQL
server, or mysqlnd, or avoid such problematic constructs.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Jul 19 00:00:03 2025 UTC