Frank Kromann has investigated these issues and has made fixes in the
CVS version of ext/mssql.
Michael
--- Michael Sisolak <[EMAIL PROTECTED]> wrote:
> Testing my existing SQL Server based sites with 4.3.0RC2 resulted in
> many memory access violations and crashes. I believe that I have
> tracked these down to two different changes made to the MSSQL
> extension
> since 4.2.3:
>
> 1) In version 1.82 of php_mssql.c there were 6 mallocs that were
> changed from "emalloc(res_length + 1);" to "emalloc(res_length);". I
> believe, however, that the code that uses those memory blocks in at
> least four of the cases required that extra space. This is the code
> as
> it is now for two of the changes in 4.3.0RC2:
>
> res_buf = (unsigned char *) emalloc(res_length);
> bin = ((DBBINARY *)dbdata(mssql_ptr->link, offset));
> memcpy(res_buf, bin, res_length);
> res_buf[res_length] = '\0';
>
> It's the setting of res_buf[res_length] illegal, as that would be
> beyond the bounds of emalloc(res_length)? Also this code (appearing
> in
> two of the changes):
>
> res_length = 19;
> res_buf = (unsigned char *) emalloc(res_length);
> sprintf(res_buf, "%d-%02d-%02d %02d:%02d:%02d" , . . .
>
> Since the length of the character string is going to be 19
> characters,
> isn't the sprintf going to write an ASCIIZ ending beyond the size of
> res_buf?
>
> Does the way emalloc() works take care of these problems? Adding the
> "+ 1" back to these four emalloc() calls stopped one set of crashes.
>
> 2) In version 1.83 of php_mssql.c the mssql_query() function was
> altered from:
>
> if ((num_fields = dbnumcols(mssql_ptr->link)) <= 0) {
> RETURN_TRUE;
> }
>
> to:
>
> if ((num_fields = dbnumcols(mssql_ptr->link)) <= 0 &&
> !dbdataready(mssql_ptr->link)) {
> RETURN_TRUE;
> }
>
> The CVS comment indicates that this change was for "fixing the
> mssql_query to handle multiple results correct if the first result
> does
> not return any data." If I now call mssql_query() with a query that
> doesn't return any values (like a SQL-T EXEC call), however, PHP will
> crash (removing the new dbdataready() check eliminates the crash).
>
> Michael Sisolak
> [EMAIL PROTECTED]
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
