#43681 [NEW]: PDO-ODBC crashes unixODBC due to not binding columns on "long" data

bugs dot php dot net at zetafleet dot com Wed, 26 Dec 2007 12:42:48 -0800

From:             bugs dot php dot net at zetafleet dot com
Operating system: Linux (Ubuntu 7.04)
PHP version:      5.2.5
PHP Bug Type:     Reproducible crash
Bug description:  PDO-ODBC crashes unixODBC due to not binding columns on 
"long" data


Description:
------------
PDO-ODBC causes unixODBC to crash when fetching data because it does not
bind all the columns in odbc_stmt.c if there are "long" (data > 256b)
columns, resulting in a NULL pointer dereference in unixODBC at
SQLGetData:472 (line number is for the current CVS version of unixODBC;
release versions may differ. The line is "bound_columns = bound_columns ->
next").

The affected code may be odbc_stmt.c:422-439. I have solved the crash by
commenting out the branch, but this is not the correct solution since it
will now potentially allocate a huge amount of memory.

Reproduce code:
---------------
Create a table in MSSQL like:

CREATE TABLE Frontpage (
  ID smallint identity,
  Title nvarchar,
  SectionUpdate text,
  Category nvarchar,
  Date smalldatetime,
  Link nvarchar );

<?php

$pdo = new PDO('odbc:NewMain', 'imageboston', 'ib86385');
$stmt = $pdo->query('SELECT * FROM Frontpage');
$result = $stmt->fetchAll(PDO::FETCH_NUM);

echo count($result);

?>

Expected result:
----------------
"42" (or however many rows are in the table)

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47223378858528 (LWP 14883)]
0x00002af315aa93e4 in CLGetData (statement_handle=0xe34f00,
column_number=3, target_type=1, target_value=0xdca8f0, buffer_length=256,
strlen_or_ind=0xdd0420) at SQLGetData.c:472
472             bound_columns = bound_columns -> next;
(gdb) bt
#0  0x00002af315aa93e4 in CLGetData (statement_handle=0xe34f00,
column_number=3, target_type=1, target_value=0xdca8f0, buffer_length=256,
strlen_or_ind=0xdd0420)
    at SQLGetData.c:472
#1  0x00002af312debb4e in SQLGetData (statement_handle=0xe34880,
column_number=3, target_type=1, target_value=0xdca8f0, buffer_length=256,
strlen_or_ind=0xdd0420)
    at SQLGetData.c:439
#2  0x00002af3138eacd7 in odbc_stmt_get_col (stmt=0xdcfe00, colno=2,
ptr=0x7fffa10faa38, len=0x7fffa10faa30, caller_frees=0x7fffa10faa90)
    at
/home/colin/software/source/php5-5.2.1/ext/pdo_odbc/odbc_stmt.c:460
#3  0x00002af313068c35 in fetch_value (stmt=0xdcfe00, dest=0xdd1370,
colno=2, type_override=0x0) at
/home/colin/software/source/php5-5.2.1/ext/pdo/pdo_stmt.c:512
#4  0x00002af31306a2d9 in do_fetch (stmt=0xdcfe00, do_bind=1,
return_value=0xdd1180, how=PDO_FETCH_NUM, ori=PDO_FETCH_ORI_NEXT, offset=0,
return_all=0x0)
    at /home/colin/software/source/php5-5.2.1/ext/pdo/pdo_stmt.c:1017
#5  0x00002af31306b9fa in zim_PDOStatement_fetchAll (ht=1,
return_value=0xdcf9b8, return_value_ptr=0x0, this_ptr=0xdcf9e0,
return_value_used=1)
    at /home/colin/software/source/php5-5.2.1/ext/pdo/pdo_stmt.c:1494
#6  0x0000000000676642 in ?? ()
#7  0x0000000000666cac in execute ()
#8  0x0000000000647cd3 in zend_execute_scripts ()
#9  0x0000000000606288 in php_execute_script ()
#10 0x00000000006d0960 in main ()

(Please ignore the source version; this problem exists also in 5.2.5
(pdo_odbc hasn't changed) -- I just happened to compile with full debug
information for 5.2.1-0ubuntu1.5.)

-- 
Edit bug report at http://bugs.php.net/?id=43681&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=43681&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=43681&r=trysnapshot52
Try a CVS snapshot (PHP 5.3): 
http://bugs.php.net/fix.php?id=43681&r=trysnapshot53
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=43681&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=43681&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=43681&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=43681&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=43681&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=43681&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=43681&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=43681&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=43681&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=43681&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=43681&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=43681&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=43681&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=43681&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=43681&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=43681&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=43681&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=43681&r=mysqlcfg

#43681 [NEW]: PDO-ODBC crashes unixODBC due to not binding columns on "long" data

Reply via email to