#44710 [NEW]: mssql stored proc run causes canary mismatch on efree()

Sun, 13 Apr 2008 08:39:22 -0700 

From:             proactive1 at gmail dot com
Operating system: Debian Linux 4
PHP version:      5.2.5
PHP Bug Type:     MSSQL related
Bug description:  mssql stored proc run causes canary mismatch on efree()

Description:
------------
Environement:
apache2,
PHP 5.2.5-3 with Suhosin-Patch 0.9.6.2 (cli) (built: Feb 21 2008 02:03:40)

Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

Issue:
When the attached php code is executed against mssql stored procedure with
certain set of variables ($dateFrom & $dateTo) it causes the canary
mismatch error to appear in apache error.log and "page cannot be displayed"
in the browser. The stored procedure runs perfectly with any set of dates
data from the mssql server. 
For example: when $dateFrom = 2008-01-01 and $dateTo = 2008-02-14, I am
getting an expected result as per attached. However, when $dateFrom =
2008-01-01 and $dateTo = 2008-02-15, there is a "canary mismatch on efree()
- heap overflow detected" error is being generated and page cannot be
displayed. 
I have applied a patch to php_mssql.c as per Iliya's suggestion in bug
#43861. Here is a header from the current php_mssql.c: /* $Id:
php_mssql.c,v 1.152.2.13.2.8 2008/03/05 23:53:23 iliaa Exp $ */ .

Do I need to provide more info? Any help would be greatly appreciated!

Reproduce code:
---------------
<?php
$dateFrom =
$_POST['yr_from']."-".$_POST['month_from']."-".$_POST['dt_from'];
$dateTo = $_POST['yr_to']."-".$_POST['month_to']."-".$_POST['dt_to'];

$link = @mssql_connect("server_name", "uname", "pw") or die('Could not
connect: ' . mssql_error());
$db = "db_name";
@mssql_select_db($db, $link) or die("Couldn't open database $db");
$stmt = mssql_init("sp",$link) or die(mssql_get_last_message());
mssql_bind($stmt, "@dateFrom", &$dateFrom, SQLCHAR, FALSE) or
die(mssql_get_last_message());
mssql_bind($stmt, "@dateTo", &$dateTo, SQLCHAR, FALSE) or
die(mssql_get_last_message());
$res = mssql_execute($stmt); 
echo "<pre>";
while ($row = mssql_fetch_assoc($res)){
printf
("%12.20s%12.20s%12.20s%12.20s%18.28s%18.28s%18.28s%18.28s%18.28s\n",$row['Symbol'],$row['Buys'],$row['Sells'],$row['Position
'],$row['TotalVolume'],$row['GrossPnL'],$row['ClrFees'],$row['ExFees'],$row['NetPnL']);
        }
echo "</pre>";
mssql_free_result($res);
mssql_close($link);
?> 

Expected result:
----------------
PnL Report for 2008-01-01 to 2008-02-14 period
     Symbol:       Buys:      Sells:   Position:      TotalVolume:        
GPnL:          CFees:           ExFees:           NetPnL:

       prod1        1154        1154           0              2308        
  2420.00            115.40           1477.12            827.48
        prod2          15          15           0                30       
    118.75              1.50             17.70             99.55
        prod3          13          13           0                26       
    100.00              1.30             15.34             83.36
        prod4        4614        4614           0              9228       
   2812.50            461.40           5444.52          -3093.42
       prod5        1130        1130           0              2260        
  8480.00            113.00           1107.40           7259.60
        prod6          15          15           0                30       
   -165.00              1.50             19.20           -185.70

Generated on: Sunday April 13, 2008, 09:57 AM


Actual result:
--------------
[Sun Apr 13 09:38:22 2008] [error] [client 10.X.X.X] ALERT - canary
mismatch on efree() - heap overflow detected (attacker '10.
X.X.X, file '/var/www/apache2-default/phpproject/sql2.php'), referer:
http://10.X.X.X/apache2-default/phpproject/pnl_gen
erator.html

-- 
Edit bug report at http://bugs.php.net/?id=44710&edit=1
-- 
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=44710&r=trysnapshot52
Try a CVS snapshot (PHP 5.3): 
http://bugs.php.net/fix.php?id=44710&r=trysnapshot53
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=44710&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=44710&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=44710&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=44710&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=44710&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=44710&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=44710&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=44710&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=44710&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=44710&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=44710&r=globals
PHP 4 support discontinued:   http://bugs.php.net/fix.php?id=44710&r=php4
Daylight Savings:             http://bugs.php.net/fix.php?id=44710&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=44710&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=44710&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=44710&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=44710&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=44710&r=mysqlcfg

Reply via email to