Edit report at http://bugs.php.net/bug.php?id=52554&edit=1
ID: 52554
Comment by: crewone at gmail dot com
Reported by: cameron dot moller at gmail dot com
Summary: Sporadic PHP Segmentation fault in combination with
unixODBC
Status: Open
Type: Bug
Package: ODBC related
Operating System: 2.6.34-gentoo-r1 x86_64
PHP Version: 5.3SVN-2010-08-06 (SVN)
Block user comment: N
New Comment:
The same bug occurs at or around line 1723. (php_odbc_fetch_hash)
The fix is easy using a cast.
Previous Comments:
------------------------------------------------------------------------
[2010-10-09 01:07:32] [email protected]
There is driver using SQLINTEGER, and others SQLLEN as type for the
buffer size pointer.
------------------------------------------------------------------------
[2010-10-07 09:11:32] crewone at gmail dot com
After debugging I found that:
result->values[field_ind].vallen = -1
But...
result->values[field_ind].vallen is a 32-bit integer (4 bytes)
And..
SQLLEN is defined as an 64-bit integer.
Therefore the if statement...
if( result->values[field_ind].vallen == SQL_NULL_DATA )
Fails even if both values are "-1" (SQL_NULL_DATA)
As a result "-1" gets passed to a memcpy and the process segfaults.
The obvious fix would be to cast both sides of the equasion to (int):
if ((int)result->values[field_ind].vallen == (int)SQL_NULL_DATA)
Which seems to work. I'm not sure if it violates any PHP coding
standards, but
that's my fix for now. I trust the maintainer of the odbc code has
enough
information now to create a real fix.
------------------------------------------------------------------------
[2010-10-07 02:39:20] crewone at gmail dot com
I can reproduce this with a result set containing NULL. I wouldn't call
it
'sporadic', in fact it is quite a show stopper for me.
The backtrace:
#0 0x00007ffff5386085 in memcpy () from /lib/libc.so.6
#1 0x00000000006dee08 in _estrndup (s=0x1331c08 "\030\034\063\001",
length=
<value optimized out>) at /usr/include/bits/string3.h:52
#2 0x0000000000579b6a in zif_odbc_result (ht=<value optimized out>,
return_value=0x1332c60, return_value_ptr=<value optimized out>,
this_ptr=<value
optimized out>, return_value_used=<value optimized out>)
at /usr/src/php-5.3.3/ext/odbc/php_odbc.c:2110
#3 0x0000000000746a3c in zend_do_fcall_common_helper_SPEC
(execute_data=0x7ffff7e8ab58) at
/usr/src/php-5.3.3/Zend/zend_vm_execute.h:316
#4 0x000000000071ebd8 in execute (op_array=0x10b4380) at /usr/src/php-
5.3.3/Zend/zend_vm_execute.h:107
#5 0x00000000006f982a in zend_execute_scripts (type=8, retval=<value
optimized
out>, file_count=3) at /usr/src/php-5.3.3/Zend/zend.c:1194
#6 0x00000000006a80ed in php_execute_script (primary_file=<value
optimized
out>) at /usr/src/php-5.3.3/main/main.c:2260
#7 0x000000000078064e in main (argc=<value optimized out>, argv=<value
optimized out>) at /usr/src/php-5.3.3/sapi/cli/php_cli.c:1192
------------------------------------------------------------------------
[2010-08-07 17:40:15] [email protected]
That _estrndup on backtrace must be related to RETURN_STRINGL macro used
in the zif_odbc_result... Can you check in which RETURN_STRINGL the
crash occurs and get the string size passed to estrndup()?
------------------------------------------------------------------------
[2010-08-07 12:08:50] cameron dot moller at gmail dot com
Re-emergeing glibc did not help
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=52554
--
Edit this bug report at http://bugs.php.net/bug.php?id=52554&edit=1
