ID: 43861 Comment by: andy at diginights dot com Reported By: skennedy at vcn dot com Status: No Feedback Bug Type: MSSQL related Operating System: FreeBSD 6.2 PHP Version: 5.2.5 New Comment:
Same issue here, we get white pages browsing our site. Also we get "ALERT - canary mismatch on efree() - heap overflow detected" in apache error log. Using apache 2.2.8-1 php 5.2.5-2 mysql 5.0.51-3 Software ist Burning Board (http://woltlab.de/) Previous Comments: ------------------------------------------------------------------------ [2008-02-18 01:00:01] php-bugs at lists dot php dot net No feedback was provided for this bug for over a week, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". ------------------------------------------------------------------------ [2008-02-10 14:50:28] [EMAIL PROTECTED] Can you please try a CVS snapshot on PHP 5.3.0 in about 4-5 hours. I've just applied a patch to the code that may fix your problem. Alternatively you can try the patch yourself from this URL; http://cvs.php.net/viewvc.cgi/php-src/ext/mssql/php_mssql.c? r1=1.152.2.13.2.4.2.3&r2=1.152.2.13.2.4.2.4&diff_format=u ------------------------------------------------------------------------ [2008-02-10 07:57:04] cxcxcxcx at gmail dot com I have encountered a similar problem. When "select" contains 'smalldatetime' or 'datetime' columns. I am using Debian Sid and php5 php5-sybase. ------------------------------------------------------------------------ [2008-01-31 00:16:10] [EMAIL PROTECTED] Ok, there we go. Looks like there is an off-by-one in there. But looking at the PHP code, it seems ok. int res_length = dbdatlen(mssql_ptr->link,offset); ... res_buf = (unsigned char *) emalloc(res_length+1); res_length = dbconvert(NULL,coltype(offset),dbdata(mssql_ptr->link,offset), res_length, SQLCHAR,res_buf,-1); res_buf[res_length] = '\0'; So, we aren't going beyond the buffer, it is somewhere in the dbconvert() code writing to res_buf that is off. Passing in a larger buffer would fix it, but it would be good to understand why dbdatlen() isn't returning the right length. Is it an encoding issue? One assumes single-byte encoding and the other multi-byte or something? Looping in Frank to have a look. ------------------------------------------------------------------------ [2008-01-30 21:23:02] skennedy at vcn dot com Okay, here is that: http://www.bandwidthbuilders.com/valgrind-output-nozendalloc.txt ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/43861 -- Edit this bug report at http://bugs.php.net/?id=43861&edit=1
