php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74376 Invalid free of persistent results on error/connection loss
Submitted: 2017-04-05 18:51 UTC Modified: 2017-04-10 05:58 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: dev at pp3345 dot net Assigned: krakjoe (profile)
Status: Closed Package: MySQL related
PHP Version: 7.1.3 OS: Irrelevant
Private report: No CVE-ID: None
 [2017-04-05 18:51 UTC] dev at pp3345 dot net
Description:
------------
mysqlnd allocates result objects in mysqlnd_result.c:1899 (mysqlnd_result_init):
	MYSQLND_RES * ret = mnd_pecalloc(1, alloc_size, persistent);

Note that these objects may be allocated persistently if the underlying connection is persistent. Normally these objects will be free'd in mysqlnd_result.c:347 (mysqlnd_res::free_result_internal):
	mnd_pefree(result, result->persistent);
Here, the persistency flag is respected.

However, in some cases (query errors or connection loss), mysqlnd_ps.c will use mnd_efree() instead of mnd_pefree() to free a result object:
line 132 (mysqlnd_stmt::store_result):
	mnd_efree(stmt->result);
line 359 (mysqlnd_stmt_prepare_read_eof):
	mnd_efree(stmt->result);

This will cause segfaults/"zend_mm_heap corrupted" in the above-mentioned cases.

Test script:
---------------
<?php

$conn = new PDO("mysql:...", "...", "...", [PDO::ATTR_PERSISTENT => true, PDO::ATTR_EMULATE_PREPARES => false]);
$conn->query("select (select 1 union select 2)");

Expected result:
----------------
Script executes successfully.

Actual result:
--------------
segfault

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-04-10 05:58 UTC] krakjoe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: krakjoe
 [2017-04-10 05:58 UTC] krakjoe@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Not sure why this didn't close automatically.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC