Edit report at http://bugs.php.net/bug.php?id=52546&edit=1
ID: 52546
Comment by: preben at ghost dot dk
Reported by: rgagnon24 at gmail dot com
Summary: pdo_dblib segmentation fault when iterating MONEY
values
Status: Closed
Type: Bug
Package: PDO related
Operating System: CentOS 5.5
PHP Version: 5.2.14
Assigned To: felipe
Block user comment: N
New Comment:
Here's a fix.
Test code
---------
<?php
$dbh = new PDO('dblib:dbname=DB;host=HOST', 'USER', 'PASS');
$sth = $dbh->query ('create table #tmp(col money)');
$sth = $dbh->query ('insert into #tmp(col) values(123.25)');
$sth = $dbh->query ('insert into #tmp(col) values(-123.25)');
$sth = $dbh->prepare('SELECT col FROM #tmp');
$sth->execute();
$r = $sth->fetchAll(2);
print_r($r);
---------
Output
---------
Array
(
[0] => Array
(
[col] => 123.2500
)
[1] => Array
(
[col] => -123.2500
)
)
---------
Diff
---------
--- php-5.3.3/ext/pdo_dblib/dblib_stmt.c 2010-03-08
13:39:44.000000000 +0100
+++ ../php-5.3.3/ext/pdo_dblib/dblib_stmt.c 2010-08-10
15:18:48.000000000 +0200
@@ -170,8 +170,10 @@
case SQLMONEY4:
case SQLMONEYN: {
DBFLT8 money_value;
+ val->len = (2 *
dbdatlen(H->link, i + 1)) + 32;
+ val->data =
emalloc(val->len);
dbconvert(NULL,
S->cols[i].coltype, dbdata(H->link, i+1), dbdatlen(H->link, i+1),
SQLFLT8, (LPBYTE)&money_value, val->len);
- val->len =
spprintf(val->data, 0, "%.4f", money_value);
+ val->len =
sprintf(val->data, "%.4f", money_value);
}
break;
default:
---------
Previous Comments:
------------------------------------------------------------------------
[2010-08-06 18:18:19] rgagnon24 at gmail dot com
Patch uploaded as diff of actual SVN checkout this time.
Patch made from PHP_5_2 branch, but appears to be the same for PHP_5_3
------------------------------------------------------------------------
[2010-08-06 17:42:01] rgagnon24 at gmail dot com
With patch committed to SVN (r301916), segmentation fault still occurs.
The issue is the val->data pointer is null at the time of spprintf()
being called. Using "8" in place of "val->len" or sizeof(DBFLT8) in the
dbconvert() call does not help at all.
------------------------------------------------------------------------
[2010-08-06 01:32:47] fel...@php.net
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.
Thanks.
------------------------------------------------------------------------
[2010-08-06 01:32:19] fel...@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&revision=301916
Log: - Fixed bug #52546 (pdo_dblib segmentation fault when iterating
MONEY values)
------------------------------------------------------------------------
[2010-08-05 22:04:37] rgagnon24 at gmail dot com
Description:
------------
Fix for bug 51213 released into 5.2.14 and 5.3.3 causes segmentation
fault when an SQL query attempts to read MSSQL MONEY type columns, or
aggregates of those column types.
Problem appears to be invalid val->data pointer passed to spprintf()
call at line 174 of dblib_stmt.c
Oddly, the patch attached to bug 51213 works properly, but is not the
same as what was comitted to the code base.
In the patch attached to 51213, val->data is properly emalloc'd some
memory before any sprintf()-type of operation is performed.
Test script:
---------------
// On a table containing a MONEY (field named "amount");
$sql = "SELECT SUM(amount) FROM table";
$rs = $pdo->query($sql, PDO::FETCH_OBJ);
foreach($rs as $row) {
var_dump($row);
}
Expected result:
----------------
Expected to see rows dumped from table.
Actual result:
--------------
Segmentation fault.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=52546&edit=1
