Edit report at https://bugs.php.net/bug.php?id=54296&edit=1
ID: 54296 Updated by: fel...@php.net Reported by: decoder-php at own-hero dot net Summary: Crash in SQLite3Stmt internal object destructor Status: Assigned -Type: Security +Type: Bug Package: Reproducible crash Operating System: Linux x86-64 PHP Version: 5.3.5 Assigned To: scottmac Block user comment: N Private report: Y Previous Comments: ------------------------------------------------------------------------ [2011-03-23 02:03:10] fel...@php.net It seems a bit related to bug #53626. ------------------------------------------------------------------------ [2011-03-17 15:48:26] decoder-php at own-hero dot net Description: ------------ The attached code crashes on PHP5.3.5 (debug build). Test script: --------------- <?php $db = new SQLite3(':memory:'); $db->exec('CREATE TABLE test (whatever INTEGER)'); $db->exec('INSERT INTO test (whatever) VALUES (1)'); $result = $db->query('SELECT * FROM test'); while ($row = $result->fetchArray(SQLITE3_NUM)) { var_dump($$result->columnName(0)); } ?> Actual result: -------------- ==30655== Invalid read of size 8 ==30655== at 0x7C5DEA: zend_llist_del_element (zend_llist.c:97) ==30655== by 0x49EF70: php_sqlite3_stmt_object_free_storage (sqlite3.c:1936) ==30655== by 0x800A1C: zend_objects_store_free_object_storage (zend_objects_API.c:92) ==30655== by 0x7C1326: shutdown_executor (zend_execute_API.c:302) ==30655== by 0x7D2685: zend_deactivate (zend.c:890) ==30655== by 0x75C7B5: php_request_shutdown (main.c:1633) ==30655== by 0x8B7FEB: main (php_cli.c:1374) ==30655== Address 0x5a5a5a5a5a5a5a5a is not stack'd, malloc'd or (recently) free'd ==30655== ==30655== ==30655== Process terminating with default action of signal 11 (SIGSEGV) ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=54296&edit=1