PHP :: Bug #75927 :: Crash when using subquery which returns more than 1 row

[2018-02-06 15:29 UTC] s dot pfalz at webcookies dot de

Description:
------------
When executing the code below PHP-FPM interpreter crashes with sigsegv and dumps core.
The problem is related to the subquery, which should normally return only 1 row, but in my case it would return 2 rows, which of course cannot work and I expected an error code: "Error Code: 1242. Subquery returns more than 1 row". 
However i got a crash (503 Service unavailable) and a coredump was written.





Test script:
---------------
<?php
$mysqli = new mysqli("localhost","xyz","xyz_2k17","xyz");
if($mysqli->connect_errno)
  {
  die("Cannot connect: ".$mysqli->connect_error);
  }
$SQL=<<<EOM
SELECT  bc.ID AS BOOKING_CUSTOMER_ID,
        bc.REF_ORDER_ID,
        bc.BOOKING_NUMBER,
        bc.STATUS,
        UNIX_TIMESTAMP(bc.PAYMENT_DATE) AS BOOKING_PAYMENT_DATE,
        bc.PAYMENT_SUM,
        bc.BOOKING_STATUS,
        bc.BOOKING_STATUS_CODE,
        bc.BOOKING_MESSAGE,
        bc.TRANSACTION_ID,
        UNIX_TIMESTAMP(bc.BOOKING_DATE) AS BC_BOOKING_DATE,
        UNIX_TIMESTAMP(EXECUTION_DATE) AS BC_EXECUTION_DATE,
        UNIX_TIMESTAMP(bc.CDATE) AS BOOKING_CUSTOMER_CDATE,
        UNIX_TIMESTAMP(bc.MDATE) AS BOOKING_CUSTOMER_MDATE,
        (SELECT PAYMENT_SUM+PENALTY_FEE+PROCESSING_FEE+LAWYER_FEE FROM xyz_failed_payments fp WHERE fp.REF_BOOKING_ID=bc.ID) AS PAYMENT_FEE
 FROM   xyz_order_booking_customer bc
 WHERE  bc.REF_ORDER_ID=?
 ORDER  BY bc.BOOKING_NUMBER
EOM;
if(!($stmt = $mysqli->prepare($SQL)))
  {
  die("PREPARE FAILED: ".$mysqli->error);
  }
$id = 9;
if(!$stmt->bind_param("i",$id))
  {
  die("Binding failed: ".$stmt->error);
  }
if(!$stmt->execute())
  {
  die("Execute failed! ".$stmt->error);
  }


Expected result:
----------------
Execute should give an error:
Error Code: 1242. Subquery returns more than 1 row



Actual result:
--------------
Segmentation fault (core dumped)

Backtrace:

#0  0x00000000008ebdd0 in php_mysqlnd_stmt_fetch_pub ()
#1  0x00007fb77d479188 in ?? ()
#2  0x00007ffc0bbbd71f in ?? ()
#3  0x0000000001329e60 in m_sbox ()
#4  0x0000000000000001 in ?? ()
#5  0x00007fb77d487008 in ?? ()
#6  0x00007ffc0bbbda00 in ?? ()
#7  0x00000000008e47c4 in php_mysqlnd_result_buffered_num_rows_pub ()
#8  0x00007fb77d46c248 in ?? ()
#9  0x00007fb77d487008 in ?? ()
#10 0x00007fb77d472148 in ?? ()
#11 0x00007fb77d487008 in ?? ()
#12 0x00007fb77d46d008 in ?? ()
#13 0x00000000008ea263 in php_mysqlnd_debug_set_mode_pub ()
#14 0x18ac670d3c77163f in ?? ()
#15 0x0000000000000000 in ?? ()

[2018-02-07 06:14 UTC] s dot pfalz at webcookies dot de

Sorry, backtrace was against php-fpm, but I've tested on CLI :(

Here's the correct trace:

0  0x00000000008ebdd0 in mysqlnd_stmt_fetch_row_unbuffered ()
#1  0x00000000008e47c4 in php_mysqlnd_res_skip_result_pub ()
#2  0x00000000008ea263 in php_mysqlnd_stmt_net_close_priv ()
#3  0x00000000008e97be in php_mysqlnd_stmt_dtor_pub ()
#4  0x0000000000720c6f in mysqli_stmt_free_storage ()
#5  0x000000000099dfaa in zend_objects_store_del ()
#6  0x00000000009700f1 in zend_hash_reverse_apply ()
#7  0x000000000094d7ed in shutdown_destructors ()
#8  0x000000000095e7a4 in zend_call_destructors ()
#9  0x00000000008f300d in php_request_shutdown ()
#10 0x0000000000a0657a in do_cli ()
#11 0x000000000045000b in main ()

[2018-03-02 11:19 UTC] s dot pfalz at webcookies dot de

-PHP Version: 7.0.27 +PHP Version: 7.0.28

[2018-03-02 11:19 UTC] s dot pfalz at webcookies dot de

Just tested against php 7.0.28, still the same. To make it easier to reproduce, a stripped down script including table structure and testdata is provided.

Tescript:

<?php
/*
CREATE TABLE t1
  (
  ID    BIGINT  NOT NULL AUTO_INCREMENT,
  VAL   VARCHAR(100)   NOT NULL,
  PRIMARY KEY(ID)
  )
 ENGINE=InnoDB
 CHARACTER SET utf8;

CREATE TABLE t2
  (
  ID          BIGINT  NOT NULL AUTO_INCREMENT,
  REF_T1_ID   BIGINT  NOT NULL,
  VAL_T2      VARCHAR(100),
  PRIMARY KEY(ID)
  )
 ENGINE=InnoDB
 CHARACTER SET utf8;

INSERT INTO t1 VALUES(1,'TEST1');
INSERT INTO t1 VALUES(2,'TEST2');

INSERT INTO t2 VALUES(1,1,'REF_TEST1.1');
INSERT INTO t2 VALUES(2,1,'REF_TEST1.2');
*/

$mysqli = new mysqli("localhost","siegel","siegel","siegel");
if($mysqli->connect_errno)
  {
  die("Cannot connect: ".$mysqli->connect_error);
  }
$SQL=<<<EOM
SELECT  t1.ID,
        t1.VAL,
        (SELECT t2.VAL_T2 FROM t2 WHERE REF_T1_ID=t1.ID) AS VAL2
  FROM  t1
 WHERE  t1.ID=?
EOM;
if(!($stmt = $mysqli->prepare($SQL)))
  {
  die("PREPARE FAILED: ".$mysqli->error);
  }
$id = 1;
if(!$stmt->bind_param("i",$id))
  {
  die("Binding failed: ".$stmt->error);
  }
if(!$stmt->execute())
  {
  die("Execute failed! ".$stmt->error);
  }

Backtrace after Core Dump:

Core was generated by `php mysqli_bug_75927.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000000008ebce0 in mysqlnd_stmt_fetch_row_unbuffered ()
(gdb) bt
#0  0x00000000008ebce0 in mysqlnd_stmt_fetch_row_unbuffered ()
#1  0x00000000008e46d4 in php_mysqlnd_res_skip_result_pub ()
#2  0x00000000008ea173 in php_mysqlnd_stmt_net_close_priv ()
#3  0x00000000008e96ce in php_mysqlnd_stmt_dtor_pub ()
#4  0x0000000000720b3f in mysqli_stmt_free_storage ()
#5  0x000000000099deaa in zend_objects_store_del ()
#6  0x000000000096fff1 in zend_hash_reverse_apply ()
#7  0x000000000094d6fd in shutdown_destructors ()
#8  0x000000000095e6a4 in zend_call_destructors ()
#9  0x00000000008f2f1d in php_request_shutdown ()
#10 0x0000000000a0647a in do_cli ()
#11 0x000000000045001b in main ()

Patches

Pull Requests

History

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2019 The PHP Group All rights reserved.	Last updated: Thu May 23 15:01:32 2019 UTC