ID: 43861 Updated by: [EMAIL PROTECTED] Reported By: skennedy at vcn dot com Status: Open Bug Type: MSSQL related Operating System: FreeBSD 6.2 PHP Version: 5.2.5 New Comment:
Ok, there we go. Looks like there is an off-by-one in there. But looking at the PHP code, it seems ok. int res_length = dbdatlen(mssql_ptr->link,offset); ... res_buf = (unsigned char *) emalloc(res_length+1); res_length = dbconvert(NULL,coltype(offset),dbdata(mssql_ptr->link,offset), res_length, SQLCHAR,res_buf,-1); res_buf[res_length] = '\0'; So, we aren't going beyond the buffer, it is somewhere in the dbconvert() code writing to res_buf that is off. Passing in a larger buffer would fix it, but it would be good to understand why dbdatlen() isn't returning the right length. Is it an encoding issue? One assumes single-byte encoding and the other multi-byte or something? Looping in Frank to have a look. Previous Comments: ------------------------------------------------------------------------ [2008-01-30 21:23:02] skennedy at vcn dot com Okay, here is that: http://www.bandwidthbuilders.com/valgrind-output-nozendalloc.txt ------------------------------------------------------------------------ [2008-01-30 21:08:27] [EMAIL PROTECTED] Sometimes the Zend memory manager hides stuff as well. Could you please try disabling that by setting the "USE_ZEND_ALLOC" environment variable to 0? (Something like "export USE_ZEND_ALLOC=0" should do that). And then re-try to make a valgrind trace. Thanks! ------------------------------------------------------------------------ [2008-01-30 18:38:10] skennedy at vcn dot com That valgrind output *is* without the Suhosin patch. I was saying that I first compiled PHP w/ Suhosin patch to make sure it errors-out with the heap overflow as it does on my FreeBSD box and it did. Then I compiled PHP again this time w/out Suhosin and ran the valgrind which is the output you see in the link. ------------------------------------------------------------------------ [2008-01-30 17:56:21] [EMAIL PROTECTED] Again, that valgrind output does not show an overflow. Either the problem is being masked by the suhosin patch, or it is a false positive. Trying removing the suhosin patch and do the valgrind check again. ------------------------------------------------------------------------ [2008-01-30 17:21:28] skennedy at vcn dot com Rasmus, I tested if this same heap overflow would occur on my Linux box (Debian 4.0) by compiling my own very basic PHP 5.2.5 (./configure --with-mssql) w/ Sushosin patch. The result: same exact error as on FreeBSD. The original valgrind output I submitted was from the PHP installed via a Debian package. So I recompiled my PHP again this time without Sushosin patch and ran valgrind again. Updated output: http://www.bandwidthbuilders.com/valgrind-output.txt Let me know if you need me to do anything else. Thanks. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/43861 -- Edit this bug report at http://bugs.php.net/?id=43861&edit=1
