Ask a Question related to PHP Bugs, Design and Development.
-
stas@php.net #1
#38710 [Asn->Fbk]: data leakage because of nonexisting boundary checking in statements
ID: 38710
Updated by: [email]stas@php.net[/email]
Reported By: domas at mysql dot com
-Status: Assigned
+Status: Feedback
Bug Type: MySQLi related
Operating System: Any
PHP Version: 5.1.6
Assigned To: andrey
New Comment:
Please try using this CVS snapshot:
[url]http://snaps.php.net/php5.2-latest.tar.gz[/url]
For Windows:
[url]http://snaps.php.net/win32/php5.2-win32-latest.zip[/url]
I've committed semi-fix (real fix would be to fetch all the data, I
guess).
Previous Comments:
------------------------------------------------------------------------
[2006-09-04 16:45:05] [email]georg@php.net[/email]
see also [url]http://bugs.mysql.com/bug.php?id=22001[/url]
------------------------------------------------------------------------
[2006-09-04 10:35:58] domas at mysql dot com
#0 0x007c758c in memcpy () from /lib/tls/libc.so.6
#1 0x081b6d91 in _estrndup ()
#2 0x05698383 in zif_mysqli_stmt_fetch (ht=147132188,
return_value=0x8c420bc, return_value_ptr=0x0,
this_ptr=0x8c50f1c, return_value_used=0)
at /usr/src/redhat/BUILD/php-5.1.6/ext/mysqli/
mysqli_api.c:717
#3 0x081e9a81 in zend_do_fcall_common_helper_SPEC ()
#4 0x081e93bb in execute ()
#5 0x081ce2e0 in zend_execute_scripts ()
#6 0x08192006 in php_execute_script ()
#7 0x00000000 in ?? ()
------------------------------------------------------------------------
[2006-09-04 10:34:02] domas at mysql dot com
Description:
------------
If function is executed in a prepared statement (like CONCAT,
UNCOMPRESS, etc), it allocates 8192-sized buffer, but fetch()
doesn't check actual length of data. If data crosses 8192-byte
boundary, all sorts of weird stuff starts to happen, including
possible sensitive data disclosures of non-overwrited buffers
(at smaller lengths) or process crashes (at bigger ones).
Reproduce code:
---------------
$db=new mysqli("localhost","root","","test");
$qry=$db->stmt_init();
$qry->prepare("SELECT REPEAT('a',100000)");
$qry->execute();
$qry->bind_result($text);
$qry->fetch();
Expected result:
----------------
silence
Actual result:
--------------
crash!
------------------------------------------------------------------------
--
Edit this bug report at [url]http://bugs.php.net/?id=38710&edit=1[/url]
stas@php.net Guest
-
#36402 [Com]: PDO_MYSQL prepared statements cause Out of memory or data corruption
ID: 36402 Comment by: ayuzhakov at swsoft dot com Reported By: joh at deworks dot net Status: No Feedback Bug... -
checking whether fileNames are same as data
I have a file named 'readFile.cfm' There are 5 files except readFile.cfm in the same directory. They are named 'a.cfm b.cfm d.cfm h.cfm k.cfm' And... -
newbie needs help with checking for posted data
Janwillem Borleffs wrote: Did find your message in alt.comp.lang.php however. DO NOT multi-post, but cross-post to several newsgroups at once as... -
File.open leakage question
If I do: file = File.open('somefile') and never close the file, will Ruby automatically close it when the variable "file" goes out of scope?... -
Compound statements, how do I send data to the console from them ?
Hi all, As part of setting up a database we have, I am writing some scripts to load core data. Because I need to generate values throughout these...
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
