php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75927 Crash when using subquery which returns more than 1 row
Submitted: 2018-02-06 15:29 UTC Modified: 2020-12-12 00:39 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: s dot pfalz at webcookies dot de Assigned: dharman (profile)
Status: Closed Package: MySQLi related
PHP Version: 7.0.28 OS: Fedora 27
Private report: No CVE-ID: None
 [2018-02-06 15:29 UTC] s dot pfalz at webcookies dot de
Description:
------------
When executing the code below PHP-FPM interpreter crashes with sigsegv and dumps core.
The problem is related to the subquery, which should normally return only 1 row, but in my case it would return 2 rows, which of course cannot work and I expected an error code: "Error Code: 1242. Subquery returns more than 1 row". 
However i got a crash (503 Service unavailable) and a coredump was written.





Test script:
---------------
<?php
$mysqli = new mysqli("localhost","xyz","xyz_2k17","xyz");
if($mysqli->connect_errno)
  {
  die("Cannot connect: ".$mysqli->connect_error);
  }
$SQL=<<<EOM
SELECT  bc.ID AS BOOKING_CUSTOMER_ID,
        bc.REF_ORDER_ID,
        bc.BOOKING_NUMBER,
        bc.STATUS,
        UNIX_TIMESTAMP(bc.PAYMENT_DATE) AS BOOKING_PAYMENT_DATE,
        bc.PAYMENT_SUM,
        bc.BOOKING_STATUS,
        bc.BOOKING_STATUS_CODE,
        bc.BOOKING_MESSAGE,
        bc.TRANSACTION_ID,
        UNIX_TIMESTAMP(bc.BOOKING_DATE) AS BC_BOOKING_DATE,
        UNIX_TIMESTAMP(EXECUTION_DATE) AS BC_EXECUTION_DATE,
        UNIX_TIMESTAMP(bc.CDATE) AS BOOKING_CUSTOMER_CDATE,
        UNIX_TIMESTAMP(bc.MDATE) AS BOOKING_CUSTOMER_MDATE,
        (SELECT PAYMENT_SUM+PENALTY_FEE+PROCESSING_FEE+LAWYER_FEE FROM xyz_failed_payments fp WHERE fp.REF_BOOKING_ID=bc.ID) AS PAYMENT_FEE
 FROM   xyz_order_booking_customer bc
 WHERE  bc.REF_ORDER_ID=?
 ORDER  BY bc.BOOKING_NUMBER
EOM;
if(!($stmt = $mysqli->prepare($SQL)))
  {
  die("PREPARE FAILED: ".$mysqli->error);
  }
$id = 9;
if(!$stmt->bind_param("i",$id))
  {
  die("Binding failed: ".$stmt->error);
  }
if(!$stmt->execute())
  {
  die("Execute failed! ".$stmt->error);
  }


Expected result:
----------------
Execute should give an error:
Error Code: 1242. Subquery returns more than 1 row



Actual result:
--------------
Segmentation fault (core dumped)

Backtrace:

#0  0x00000000008ebdd0 in php_mysqlnd_stmt_fetch_pub ()
#1  0x00007fb77d479188 in ?? ()
#2  0x00007ffc0bbbd71f in ?? ()
#3  0x0000000001329e60 in m_sbox ()
#4  0x0000000000000001 in ?? ()
#5  0x00007fb77d487008 in ?? ()
#6  0x00007ffc0bbbda00 in ?? ()
#7  0x00000000008e47c4 in php_mysqlnd_result_buffered_num_rows_pub ()
#8  0x00007fb77d46c248 in ?? ()
#9  0x00007fb77d487008 in ?? ()
#10 0x00007fb77d472148 in ?? ()
#11 0x00007fb77d487008 in ?? ()
#12 0x00007fb77d46d008 in ?? ()
#13 0x00000000008ea263 in php_mysqlnd_debug_set_mode_pub ()
#14 0x18ac670d3c77163f in ?? ()
#15 0x0000000000000000 in ?? ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-07 06:14 UTC] s dot pfalz at webcookies dot de
Sorry, backtrace was against php-fpm, but I've tested on CLI :(

Here's the correct trace:

0  0x00000000008ebdd0 in mysqlnd_stmt_fetch_row_unbuffered ()
#1  0x00000000008e47c4 in php_mysqlnd_res_skip_result_pub ()
#2  0x00000000008ea263 in php_mysqlnd_stmt_net_close_priv ()
#3  0x00000000008e97be in php_mysqlnd_stmt_dtor_pub ()
#4  0x0000000000720c6f in mysqli_stmt_free_storage ()
#5  0x000000000099dfaa in zend_objects_store_del ()
#6  0x00000000009700f1 in zend_hash_reverse_apply ()
#7  0x000000000094d7ed in shutdown_destructors ()
#8  0x000000000095e7a4 in zend_call_destructors ()
#9  0x00000000008f300d in php_request_shutdown ()
#10 0x0000000000a0657a in do_cli ()
#11 0x000000000045000b in main ()
 [2018-03-02 11:19 UTC] s dot pfalz at webcookies dot de
-PHP Version: 7.0.27 +PHP Version: 7.0.28
 [2018-03-02 11:19 UTC] s dot pfalz at webcookies dot de
Just tested against php 7.0.28, still the same. To make it easier to reproduce, a stripped down script including table structure and testdata is provided.

Tescript:

<?php
/*
CREATE TABLE t1
  (
  ID    BIGINT  NOT NULL AUTO_INCREMENT,
  VAL   VARCHAR(100)   NOT NULL,
  PRIMARY KEY(ID)
  )
 ENGINE=InnoDB
 CHARACTER SET utf8;

CREATE TABLE t2
  (
  ID          BIGINT  NOT NULL AUTO_INCREMENT,
  REF_T1_ID   BIGINT  NOT NULL,
  VAL_T2      VARCHAR(100),
  PRIMARY KEY(ID)
  )
 ENGINE=InnoDB
 CHARACTER SET utf8;

INSERT INTO t1 VALUES(1,'TEST1');
INSERT INTO t1 VALUES(2,'TEST2');

INSERT INTO t2 VALUES(1,1,'REF_TEST1.1');
INSERT INTO t2 VALUES(2,1,'REF_TEST1.2');
*/

$mysqli = new mysqli("localhost","siegel","siegel","siegel");
if($mysqli->connect_errno)
  {
  die("Cannot connect: ".$mysqli->connect_error);
  }
$SQL=<<<EOM
SELECT  t1.ID,
        t1.VAL,
        (SELECT t2.VAL_T2 FROM t2 WHERE REF_T1_ID=t1.ID) AS VAL2
  FROM  t1
 WHERE  t1.ID=?
EOM;
if(!($stmt = $mysqli->prepare($SQL)))
  {
  die("PREPARE FAILED: ".$mysqli->error);
  }
$id = 1;
if(!$stmt->bind_param("i",$id))
  {
  die("Binding failed: ".$stmt->error);
  }
if(!$stmt->execute())
  {
  die("Execute failed! ".$stmt->error);
  }

Backtrace after Core Dump:

Core was generated by `php mysqli_bug_75927.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000000008ebce0 in mysqlnd_stmt_fetch_row_unbuffered ()
(gdb) bt
#0  0x00000000008ebce0 in mysqlnd_stmt_fetch_row_unbuffered ()
#1  0x00000000008e46d4 in php_mysqlnd_res_skip_result_pub ()
#2  0x00000000008ea173 in php_mysqlnd_stmt_net_close_priv ()
#3  0x00000000008e96ce in php_mysqlnd_stmt_dtor_pub ()
#4  0x0000000000720b3f in mysqli_stmt_free_storage ()
#5  0x000000000099deaa in zend_objects_store_del ()
#6  0x000000000096fff1 in zend_hash_reverse_apply ()
#7  0x000000000094d6fd in shutdown_destructors ()
#8  0x000000000095e6a4 in zend_call_destructors ()
#9  0x00000000008f2f1d in php_request_shutdown ()
#10 0x0000000000a0647a in do_cli ()
#11 0x000000000045001b in main ()
 [2020-12-12 00:39 UTC] dharman@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: dharman
 [2020-12-12 00:39 UTC] dharman@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at
http://www.php.net/downloads.php

This was fixed in 7.4.13. Commit: https://github.com/php/php-src/commit/b03776adb5bbb9b54731a44377632fcc94a59d2f
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 10:01:28 2024 UTC