SEGFAULT when using mysql_pconnect() with client

SEGFAULT when using mysql_pconnect() with client_flags

Bug #44333	SEGFAULT when using mysql_pconnect() with client_flags
Submitted:	2008-03-04 21:03 UTC	Modified:	2008-03-04 22:32 UTC
From:	drake at oomkill dot net	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.2.6RC1	OS:	Hardened Gentoo Linux (amd64)
Private report:	No	CVE-ID:	None

[2008-03-04 21:03 UTC] drake at oomkill dot net

Description:
------------
Segfaults appear when using:
mysql_pconnect('localhost', 'foo', 'bar', 0);
but runs fine when using:
mysql_pconnect('localhost', 'foo', 'bar');

The bug is most likely caused by trying to store a 'long' value in an 'int' on the stack.

At the beginning of php_mysql_do_connect() in ext/mysql/php_mysql.c there is the following declaration:
int client_flags = 0;

Later in that function zend_parse_parameters() stores a long at &client_flags, which can also overwrite another variable on the stack.

Changing the client_flags to unsigned long (like it is defined in mysql's headers) solved my segfault problem.


Reproduce code:
---------------
// the user/pass don't have to be valid.
mysql_pconnect('localhost', 'foo', 'bar', 0);


Expected result:
----------------
No segfault.

Actual result:
--------------
Segfault. No php/zend error message in logs.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-03-04 22:32 UTC] felipe@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.