php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81009 PDO statement segfault on invalid param
Submitted: 2021-05-03 16:45 UTC Modified: 2021-05-04 10:18 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:0 (0.0%)
From: theo dot fidry at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: PDO PgSQL
PHP Version: 7.4.18 OS: OSX 11.2.3
Private report: No CVE-ID: None
 [2021-05-03 16:45 UTC] theo dot fidry at gmail dot com
Description:
------------
We have in our code the following statement (done via Doctrine):

```
$stmt->bindValue(6, null, 1);
```

coming from an entity property of the type `?int` and for which the corresponding DB column is a nullable integer (PostgreSQL 12.3).

When upgrading from PHP 7.4.13 to 7.4.18 the above statement results in a segfault  once executing the query.

changing the `null` value into an int value or keeping the value `null` and changing the param type `1` to `0` both results in a successful execution on 7.4.18.

The related Doctrie code is https://github.com/doctrine/dbal/blob/2.13.x/lib/Doctrine/DBAL/Statement.php#L101-L121 as you can see it did not change in a log time and even if a failure is expected with an invalid type, I suspect a segfault is not the desired outcome.

Test script:
---------------
We are using the following except locally:

```
$kernel = new Kernel($_SERVER['APP_ENV'], (bool) $_SERVER['APP_DEBUG']);
$kernel->boot();

/** @var PDOStatement $stmt */
$stmt = $kernel->getContainer()
    ->get('doctrine.dbal.default_connection')
    ->prepare('INSERT INTO foo (col1, col2, col3, col4, col5, col6, col7) VALUES (?, ?, ?, ?, ?, ?, ?)');

$stmt->bindValue(1, 16527, 1);
$stmt->bindValue(2, 'ee3b3a2d-f01a-4455-a509-629bf2780ca6', 2);
$stmt->bindValue(3, '2021-05-03T16:09:31Z', 2);
$stmt->bindValue(4, 'certificationGranted', 2);
$stmt->bindValue(5, 'foo', 2);
$stmt->bindValue(6, null, 1);
$stmt->bindValue(7, '3e2456b7-49c2-46de-ad7d-1b3f4c1b5663', 2);

$stmt = $stmt->execute(null);
```


Expected result:
----------------
Not a segfault.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-04 01:22 UTC] rwahyudi at gmail dot com
Confirmed that we hit the same bug on RHEL7 and can reproduce the issue. 

When hitting this bug, we get the following error on /var/log/message : 

kernel: php74[6170]: segfault at 18 ip 00007fb376c68fe7 sp 00007ffc46b4d280 error 4 in libc-2.17.so[7fb376c2e000+1c4000]

strace result : 

open("vendor/doctrine/dbal/lib/Doctrine/DBAL/Statement.php", O_RDONLY) = 14
fstat(14, {st_mode=S_IFREG|0644, st_size=23012, ...}) = 0
read(14, "<?php\n\nnamespace Doctrine\\DBAL;\n"..., 23012) = 23012
fcntl(4, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=0, l_len=1}) = 0
fcntl(4, F_SETLK, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=0, l_len=1}) = 0
close(14)                               = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x18} ---
+++ killed by SIGSEGV ++
 [2021-05-04 10:18 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2021-05-04 10:18 UTC] cmb@php.net
This is a duplicate of bug #81002, which will be fixed in
PHP 7.4.19 and 8.0.6.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 18:01:29 2024 UTC