Edit report at https://bugs.php.net/bug.php?id=54296&edit=1

 ID:                 54296
 Updated by:         fel...@php.net
 Reported by:        decoder-php at own-hero dot net
 Summary:            Crash in SQLite3Stmt internal object destructor
 Status:             Assigned
-Type:               Security
+Type:               Bug
 Package:            Reproducible crash
 Operating System:   Linux x86-64
 PHP Version:        5.3.5
 Assigned To:        scottmac
 Block user comment: N
 Private report:     Y



Previous Comments:
------------------------------------------------------------------------
[2011-03-23 02:03:10] fel...@php.net

It seems a bit related to bug #53626.

------------------------------------------------------------------------
[2011-03-17 15:48:26] decoder-php at own-hero dot net

Description:
------------
The attached code crashes on PHP5.3.5 (debug build).

Test script:
---------------
<?php
$db = new SQLite3(':memory:');
$db->exec('CREATE TABLE test (whatever INTEGER)');
$db->exec('INSERT INTO test (whatever) VALUES (1)');
$result = $db->query('SELECT * FROM test');
while ($row = $result->fetchArray(SQLITE3_NUM)) {
    var_dump($$result->columnName(0));
}
?>


Actual result:
--------------
==30655== Invalid read of size 8
==30655==    at 0x7C5DEA: zend_llist_del_element (zend_llist.c:97)
==30655==    by 0x49EF70: php_sqlite3_stmt_object_free_storage (sqlite3.c:1936)
==30655==    by 0x800A1C: zend_objects_store_free_object_storage 
(zend_objects_API.c:92)
==30655==    by 0x7C1326: shutdown_executor (zend_execute_API.c:302)
==30655==    by 0x7D2685: zend_deactivate (zend.c:890)
==30655==    by 0x75C7B5: php_request_shutdown (main.c:1633)
==30655==    by 0x8B7FEB: main (php_cli.c:1374)
==30655==  Address 0x5a5a5a5a5a5a5a5a is not stack'd, malloc'd or (recently) 
free'd
==30655== 
==30655== 
==30655== Process terminating with default action of signal 11 (SIGSEGV)


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=54296&edit=1

Reply via email to