Bug #60512 [Opn->Csd]: pdo_dblib - Seg Fault error on user/pass exceeds 30 chars

Sat, 01 Jun 2013 00:00:36 -0700 

Edit report at https://bugs.php.net/bug.php?id=60512&edit=1

 ID:                 60512
 Updated by:         ssuffic...@php.net
 Reported by:        paul dot visco at roswellpark dot org
 Summary:            pdo_dblib - Seg Fault error on user/pass exceeds 30
                     chars
-Status:             Open
+Status:             Closed
 Type:               Bug
 Package:            PDO related
 Operating System:   Centos 5.5/Fedora 16
 PHP Version:        5.3.8
 Block user comment: N
 Private report:     N

 New Comment:

Automatic comment on behalf of ssufficool
Revision: 
http://git.php.net/?p=php-src.git;a=commit;h=3b54de3db008490eeae8fba2e471a41906d1eae5
Log: FIX BUG #60512


Previous Comments:
------------------------------------------------------------------------
[2012-06-15 22:22:52] bmherold at gmail dot com

Created a gist of my crash log at: https://gist.github.com/2938986

------------------------------------------------------------------------
[2012-06-15 22:06:01] bmherold at gmail dot com

Has there been any movement on this bug? I'm using freetds 0.91 on OS X 10.7.4 
and 
php 5.3.13. HTTPD crashes when using a password of over 30 characters as seen 
in 
the console logs. I can also tail freetds.log and it doesnt even make it in 
here - 
but only when the password is over 30 chars.

------------------------------------------------------------------------
[2011-12-13 16:21:35] paul dot visco at roswellpark dot org

Description:
------------
LIB: freetds-0.91-1
PHP: php 5.3.8
EXT: pdo_dblib from /ext folder of php 5.3.8 source
OS: Fedora 16/Centos 5

I was using pdo_dblib to connect to a MSSQL server db.  When the password or 
username is longer than 30 chars, a segmentation fault occurrs, crashing PHP.

It would be ideal to instead throw the catchable error from freetds which is 
"20042 Name too long for LOGINREC field (severity 2)"

The problem is that the code is not checking to make sure dbproc is not NULL 
before processing the error info further.  In the case of the password being 
longer than 30 chars it is NULL, which then causes the seg fault.

Test script:
---------------
$db = new PDO("dblib:host=someserver;", "uname", 
'31charpasswordpasswordpasswordp');

Expected result:
----------------
20042 Name too long for LOGINREC field (severity 2)

Actual result:
--------------
segmentation fault

OUTPUT FROM gdb:
Program received signal SIGSEGV, Segmentation fault.
0x000000390502b0ff in __dcigettext () from /lib64/libc.so.6
(gdb) bt
#0  0x000000390502b0ff in __dcigettext () from /lib64/libc.so.6
#1  0x0000003905079b3c in strerror_r () from /lib64/libc.so.6
#2  0x000000390507997e in strerror () from /lib64/libc.so.6
#3  0x00002aaab26a6815 in ?? () from /usr/lib64/libsybdb.so.5
#4  0x00002aaab26a7aa9 in dbgetuserdata () from /usr/lib64/libsybdb.so.5
#5  0x00002aaab3bc2c59 in error_handler (dbproc=0x39051200a9, 
severity=85066262, dberr=0, oserr=0, dberrstr=0x0, oserrstr=0x5 <Address 0x5 
out of bounds>)
    at /home/ROSWELL/visco/php-5.3.8/ext/pdo_dblib/pdo_dblib.c:98




------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=60512&edit=1

Reply via email to