From: jjuergens at web dot de
Operating system: Opensuse 11.1
PHP version: 5.2.9
PHP Bug Type: MySQLi related
Bug description: PHP crashes when using MySQLi-Statement
Description:
------------
When trying to retrieve data from a MySQL-Database using a
mysqli-statement, PHP just crashes. I excerpted the code below from a
larger web-application and invoked it via the PHP-Cli and it still fails
with a memory-error.
Interestingly enough though, if you just change a single value within
$arg1 and $arg2 (e.g. replace the last 8 from $arg1 with a 7), the bug
doesn't occur anymore.
I've included a Valgrind-output which shows the error.
MySQL-Version is 5.0.67.
Reproduce code:
---------------
<?php
/*
This is the database-table used:
CREATE TABLE `sessionData` (
`sessionId` varchar(60) collate utf8_unicode_ci NOT NULL,
`pathHash` varchar(32) collate utf8_unicode_ci NOT NULL,
`path` varchar(100) collate utf8_unicode_ci NOT NULL,
`data` longtext collate utf8_unicode_ci NOT NULL,
PRIMARY KEY (`sessionId`,`pathHash`),
CONSTRAINT `sessionData_ibfk_1` FOREIGN KEY (`sessionId`) REFERENCES
`sessionIndex` (`sessionId`) ON DELETE CASCADE ON UPDATE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci
*/
//create db-link
$dbLink=new mysqli("host","user","pass","db",3306);
//create the statement
$stmt=$dbLink->prepare("SELECT * FROM `sessionData` WHERE `sessionId`=?
AND `pathHash`=? LIMIT 1");
//bind params
$arg1="e75c7781166e3a361b7cff546563d5e8";
$arg2="9ddec3abec5c92628022210892e76afb";
$stmt->bind_param("ss",$arg1,$arg2);
//execute
$stmt->execute();
//create set of result-fields (see
http://php.net/manual/de/mysqli-stmt.bind-result.php#85470)
$resData=$stmt->result_metadata();
$resFields=array();
$bindArray=array();
while($field=mysqli_fetch_field($resData)){
$resFields[]=&$bindArray[$field->name];
}
//bind result-fields
call_user_func_array(array($stmt,'bind_result'),$resFields);
//fetch result
$res=0;
while($stmt->fetch()){
$tmpRes=array();
foreach($bindArray as $key=>$value){
$tmpRes[$key]=$value;
}
//add this row (not needed for bug reproduction)
// array_push($result,$tmpRes);
$res++;
}
//close statement
$stmt->close();
Expected result:
----------------
In this case, the script should just exit normally without a result.
Actual result:
--------------
Running it in a shell, I get a memory-error.
Using Valgrind, I get the following:
==13749== Memcheck, a memory error detector.
==13749== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==13749== Using LibVEX rev 1854, a library for dynamic binary
translation.
==13749== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==13749== Using valgrind-3.3.1, a dynamic binary instrumentation
framework.
==13749== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==13749== For more details, rerun with: -v
==13749==
==13749== Invalid read of size 4
==13749== at 0x51AA261: mysql_stmt_fetch (in
/usr/lib/libmysqlclient.so.15.0.0)
==13749== by 0x5187D5C: zif_mysqli_stmt_fetch (in
/usr/lib/php5/extensions/mysqli.so)
==13749== by 0x81DE342: (within /usr/bin/php5)
==13749== by 0x81C94BA: execute (in /usr/bin/php5)
==13749== by 0x81A3D4F: zend_execute_scripts (in /usr/bin/php5)
==13749== by 0x81589F9: php_execute_script (in /usr/bin/php5)
==13749== by 0x821C780: main (in /usr/bin/php5)
==13749== Address 0x84 is not stack'd, malloc'd or (recently) free'd
==13749==
==13749== Process terminating with default action of signal 11 (SIGSEGV)
==13749== Access not within mapped region at address 0x84
==13749== at 0x51AA261: mysql_stmt_fetch (in
/usr/lib/libmysqlclient.so.15.0.0)
==13749== by 0x5187D5C: zif_mysqli_stmt_fetch (in
/usr/lib/php5/extensions/mysqli.so)
==13749== by 0x81DE342: (within /usr/bin/php5)
==13749== by 0x81C94BA: execute (in /usr/bin/php5)
==13749== by 0x81A3D4F: zend_execute_scripts (in /usr/bin/php5)
==13749== by 0x81589F9: php_execute_script (in /usr/bin/php5)
==13749== by 0x821C780: main (in /usr/bin/php5)
==13749==
==13749== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 118 from
2)
==13749== malloc/free: in use at exit: 1,296,363 bytes in 13,676 blocks.
==13749== malloc/free: 14,687 allocs, 1,011 frees, 2,096,685 bytes
allocated.
==13749== For counts of detected errors, rerun with: -v
==13749== searching for pointers to 13,676 not-freed blocks.
==13749== checked 1,736,688 bytes.
==13749==
==13749== LEAK SUMMARY:
==13749== definitely lost: 30,599 bytes in 11 blocks.
==13749== possibly lost: 10,263 bytes in 2 blocks.
==13749== still reachable: 1,255,501 bytes in 13,663 blocks.
==13749== suppressed: 0 bytes in 0 blocks.
==13749== Rerun with --leak-check=full to see details of leaked memory.
--
Edit bug report at http://bugs.php.net/?id=47928&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=47928&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=47928&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=47928&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=47928&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=47928&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=47928&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=47928&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=47928&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=47928&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=47928&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=47928&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=47928&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=47928&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=47928&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=47928&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=47928&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=47928&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=47928&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=47928&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=47928&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=47928&r=mysqlcfg
