php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81252 PDO_ODBC doesn't account for SQL_NO_TOTAL
Submitted: 2021-07-12 16:40 UTC Modified: 2021-07-21 13:25 UTC
From: calvin at cmpct dot info Assigned: cmb (profile)
Status: Closed Package: PDO ODBC
PHP Version: 7.4.21 OS: Fedora 34
Private report: No CVE-ID: None
 [2021-07-12 16:40 UTC] calvin at cmpct dot info
Description:
------------
Similar to #80460 for procedural ODBC (which was fixed, though perhaps with not an ideal solution). This will manifest as PDO_ODBC getting -4 as the length back from the driver, and blindly trying to memcpy that length, crashing.

Test script:
---------------
https://gist.github.com/NattyNarwhal/e1209fc967b0f4dcdfba7d2405557077

Includes reproduction for Db2i.

Expected result:
----------------
object(stdClass)#3 (4) {
  ["ID"]=>
  &string(1) "1"
  ["Data1"]=>
  &string(20) "5char               "
  ["Data2"]=>
  &string(25) "xxxxxxxxxxxxxxxxxxx      "
  ["Data3"]=>
  &string(2) "19"
}

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff77cbac6 in __memcpy_avx_unaligned_erms () from /lib64/libc.so.6
(gdb) where
#0  0x00007ffff77cbac6 in __memcpy_avx_unaligned_erms () from /lib64/libc.so.6
#1  0x00007fffe419a274 in memcpy (__len=18446744073709551612, __src=0x7ffff72010c0, __dest=<optimized out>) at /usr/include/bits/string_fortified.h:29
#2  odbc_stmt_param_hook (stmt=<optimized out>, param=<optimized out>, event_type=<optimized out>) at /usr/src/debug/php-7.4.21-1.fc34.x86_64/ext/pdo_odbc/odbc_stmt.c:522
#3  0x00007fffe44b51ee in dispatch_param_event (event_type=PDO_PARAM_EVT_EXEC_POST, stmt=0x7ffff7287000) at /usr/src/debug/php-7.4.21-1.fc34.x86_64/ext/pdo/pdo_stmt.c:179
#4  dispatch_param_event (stmt=0x7ffff7287000, event_type=PDO_PARAM_EVT_EXEC_POST) at /usr/src/debug/php-7.4.21-1.fc34.x86_64/ext/pdo/pdo_stmt.c:160
#5  0x00007fffe44b5e6d in zim_PDOStatement_execute (execute_data=<optimized out>, return_value=0x7fffffff9d10) at /usr/src/debug/php-7.4.21-1.fc34.x86_64/ext/pdo/pdo_stmt.c:520
#6  0x0000555555855e0b in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /usr/src/debug/php-7.4.21-1.fc34.x86_64/Zend/zend_vm_execute.h:1618
#7  execute_ex (ex=0x7ffff72010f0) at /usr/src/debug/php-7.4.21-1.fc34.x86_64/Zend/zend_vm_execute.h:53897
#8  0x00005555558583af in zend_execute (op_array=0x7ffff72812a0, return_value=0x0) at /usr/src/debug/php-7.4.21-1.fc34.x86_64/Zend/zend_vm_execute.h:57993
#9  0x00005555557cf42c in zend_execute_scripts (type=type@entry=8, retval=0x7fffdc8695a0, retval@entry=0x0, file_count=-148819936, file_count@entry=3) at /usr/src/debug/php-7.4.21-1.fc34.x86_64/Zend/zend.c:1679
#10 0x000055555576cf88 in php_execute_script (primary_file=<optimized out>) at /usr/src/debug/php-7.4.21-1.fc34.x86_64/main/main.c:2650
#11 0x000055555585a537 in do_cli (argc=2, argv=0x555555e21020) at /usr/src/debug/php-7.4.21-1.fc34.x86_64/sapi/cli/php_cli.c:964
#12 0x000055555563c44b in main (argc=2, argv=0x555555e21020) at /usr/src/debug/php-7.4.21-1.fc34.x86_64/sapi/cli/php_cli.c:1359

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-13 08:51 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2021-07-13 08:51 UTC] cmb@php.net
Hmm, seems there is also a memory leak (at least in case of
failure).
 [2021-07-21 13:25 UTC] cmb@php.net
I'm not able to reproduce this, so I can only come up with a
simplistic fix, which is even slightly worse than the fix for bug
#80460 (i.e. you don't even get some error message or other
indication about the failure).  Thus, a pull request from someone
who can reproduce this would be welcome.  It might be a good idea
not to target a stable PHP version for this, due to general lack
of (PDO_)ODBC maintainers.

Generally, the support for out parameters appears to be
suboptimal.

> Hmm, seems there is also a memory leak (at least in case of
> failure).

I'll open a separate ticket for this.
 [2021-07-21 13:26 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #81252: PDO_ODBC doesn't account for SQL_NO_TOTAL
On GitHub:  https://github.com/php/php-src/pull/7295
Patch:      https://github.com/php/php-src/pull/7295.patch
 [2021-07-28 09:03 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/98049e8b9ab040f5796a8d93b53173b53977fdad
Log: Fix #81252: PDO_ODBC doesn't account for SQL_NO_TOTAL
 [2021-07-28 09:03 UTC] git@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Sep 17 20:03:37 2021 UTC