[PHP-DEV] Multiple MSSQL Crashes in 4.3.0RC2

Sun, 01 Dec 2002 19:50:40 -0800 

Testing my existing SQL Server based sites with 4.3.0RC2 resulted in
many memory access violations and crashes.  I believe that I have
tracked these down to two different changes made to the MSSQL extension
since 4.2.3:

1) In version 1.82 of php_mssql.c there were 6 mallocs that were
changed from "emalloc(res_length + 1);" to "emalloc(res_length);".  I
believe, however, that the code that uses those memory blocks in at
least four of the cases required that extra space.  This is the code as
it is now for two of the changes in 4.3.0RC2:

        res_buf = (unsigned char *) emalloc(res_length);
        bin = ((DBBINARY *)dbdata(mssql_ptr->link, offset));
        memcpy(res_buf, bin, res_length);
        res_buf[res_length] = '\0';

It's the setting of res_buf[res_length] illegal, as that would be
beyond the bounds of emalloc(res_length)?  Also this code (appearing in
two of the changes):

        res_length = 19;
        res_buf = (unsigned char *) emalloc(res_length);
        sprintf(res_buf, "%d-%02d-%02d %02d:%02d:%02d" ,  . . .

Since the length of the character string is going to be 19 characters,
isn't the sprintf going to write an ASCIIZ ending beyond the size of
res_buf?

Does the way emalloc() works take care of these problems?  Adding the
"+ 1" back to these four emalloc() calls stopped one set of crashes.

2) In version 1.83 of php_mssql.c the mssql_query() function was
altered from:

        if ((num_fields = dbnumcols(mssql_ptr->link)) <= 0) {
                RETURN_TRUE;
        }

to:

        if ((num_fields = dbnumcols(mssql_ptr->link)) <= 0 &&
!dbdataready(mssql_ptr->link)) {
                RETURN_TRUE;
        }

The CVS comment indicates that this change was for "fixing the
mssql_query to handle multiple results correct if the first result does
not return any data."  If I now call mssql_query() with a query that
doesn't return any values (like a SQL-T EXEC call), however, PHP will
crash (removing the new dbdataready() check eliminates the crash).

Michael Sisolak
[EMAIL PROTECTED]

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to