write to freed buffer in dbd::mysql 3.0003_1

Tue, 09 May 2006 05:37:13 -0700 

The following script causes a segfault due to writing to freed memory. I have
tracked down why it happens (see valgrind output) but not how to fix it yet
(although in the example, commenting out the finish works).

A make test of DBD::mysql 3.0003_1 shows this problem for me in the
50chopblanks test.

#!/usr/bin/perl -w

use DBI qw (neat_list);

my $dbh = DBI->connect('dbi:mysql:test','test');
$dbh->do(q/drop table if exists test/);
$dbh->do(q/create table test (a int, b char(64))/);
$dbh->do(q/insert into test values (1, 'one')/);

my $sth = $dbh->prepare(q/select * from test/);
$sth->execute;
while (my @row = $sth->fetchrow_array) {
    print  neat_list([EMAIL PROTECTED], 10, ",'"),"\n";
}
$sth->finish;
$sth->execute;
while (my @row = $sth->fetchrow_array) {
    print  neat_list([EMAIL PROTECTED], 10, ",'"),"\n";
}


==5361== Invalid write of size 4
==5361==    at 0x45F7A21: setup_one_fetch_function (in
/usr/mysql/lib/mysql/libmysqlclient.so.15.0.0)
==5361==    by 0x45F6348: mysql_stmt_execute (in
/usr/mysql/lib/mysql/libmysqlclient.so.15.0.0)
==5361==    by 0x45DA925: mysql_st_internal_execute41 (dbdimp.c:2771)
==5361==    by 0x45DAC39: mysql_st_execute (dbdimp.c:2894)
==5361==    by 0x45DEF89: XS_DBD__mysql__st_execute (mysql.xsi:562)
==5361==    by 0x43C20AC: XS_DBI_dispatch (in
/usr/local/lib/perl5/site_perl/5.8.7/i686-linux/auto/DBI/DBI.so)
==5361==    by 0x80AD37E: Perl_pp_entersub (in /usr/bin/perl)
==5361==    by 0x80A70EF: Perl_runops_standard (in /usr/bin/perl)
==5361==    by 0x8061654: S_run_body (in /usr/bin/perl)
==5361==    by 0x80613AD: perl_run (in /usr/bin/perl)
==5361==    by 0x805E866: main (in /usr/bin/perl)
==5361==  Address 0x45A7188 is 0 bytes inside a block of size 48 free'd
==5361==    at 0x401B1DB: free (m_replacemalloc/vg_replace_malloc.c:235)
==5361==    by 0x8099D5D: Perl_safesysfree (in /usr/bin/perl)
==5361==    by 0x45D70A5: FreeFBuffer (dbdimp.c:197)
==5361==    by 0x45DB8A7: mysql_st_finish (dbdimp.c:3378)
==5361==    by 0x45DB286: mysql_st_fetch (dbdimp.c:3153)
==5361==    by 0x45DF173: XS_DBD__mysql__st_fetchrow_array (mysql.xsi:610)
==5361==    by 0x43C20AC: XS_DBI_dispatch (in
/usr/local/lib/perl5/site_perl/5.8.7/i686-linux/auto/DBI/DBI.so)
==5361==    by 0x80AD37E: Perl_pp_entersub (in /usr/bin/perl)
==5361==    by 0x80A70EF: Perl_runops_standard (in /usr/bin/perl)
==5361==    by 0x8061654: S_run_body (in /usr/bin/perl)
==5361==    by 0x80613AD: perl_run (in /usr/bin/perl)
==5361==    by 0x805E866: main (in /usr/bin/perl)
==5361== 

finish is throwing stuff away that the mysql client still has the address of.
I think the problem would be worse if the example was using bound columns.

Martin
--
Martin J. Evans
Easysoft Ltd, UK
http://www.easysoft.com

Reply via email to