From: nalply at gmail dot com Operating system: Debian Lenny amd64 PHP version: 5.2.11 PHP Bug Type: Reproducible crash Bug description: 64bit libtdsodbc.so crash because of malloc 4 byte missing
Description: ------------ I have a page which reproducibly overwrites non alloc'd memory (a write of 8 bytes instead of 4 bytes at the end of the range). It is caused by the call odbc_fetch_object() and the bad write in libtdsodbc.so. For more details see: http://serverfault.com/questions/90100/64bit-unixodbc-and-freetds-a-bug-in-libtdsodbc-so, there is a valgrind output. It crashes in the Apache module only. The PHP command line with Suhosin reports a canary mismatch. Note, it is version 5.2.6-1+lenny4, that's what Debian Lenny has installed, and not 5.2.11, because the form forced me to enter this version. I won't upgrade my PHP to a newer version. Take this bug report or leave it. It is not sure whether the bug is in PHP ODBC or in TDS ODBC, so I am going to report this bug thrice: here and there and with Debian. Reproduce code: --------------- #!/usr/bin/php5 <?php $conn = odbc_connect("dsn", "user", "password"); $query = odbc_exec($conn, "SELECT 'alpha' test"); echo "Before odbc_fetch_object(); query=$query\n"; flush(); if ($query) $row = odbc_fetch_object($query); echo "After odbc_fetch_row();\n"; flush(); echo "Result=" . $row->test . "\n"; ?>some static text Expected result: ---------------- Before odbc_fetch_object(); query=Resource id #5 After odbc_fetch_row(); Result=alpha some static text ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'unknown') Actual result: -------------- Before odbc_fetch_object(); query=Resource id #5 After odbc_fetch_row(); Result=alpha some static text -- Edit bug report at http://bugs.php.net/?id=50370&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=50370&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=50370&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=50370&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=50370&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=50370&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=50370&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=50370&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=50370&r=needscript Try newer version: http://bugs.php.net/fix.php?id=50370&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=50370&r=support Expected behavior: http://bugs.php.net/fix.php?id=50370&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=50370&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=50370&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=50370&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=50370&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=50370&r=dst IIS Stability: http://bugs.php.net/fix.php?id=50370&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=50370&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=50370&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=50370&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=50370&r=mysqlcfg
