Segfault on mysqlnd stream cast

Hey Rasmus

2013/8/3 Rasmus Lerdorf rasmus@lerdorf.com:

Hey Johannes, could you take a look at:

https://gist.github.com/anonymous/6143477

You can reproduce in 5.5 with:

sapi/cli/php ext/mysqli/tests/mysqli_poll_kill.php

main/streams/cast.c:306 is:

if (php_stream_is_filtered(stream)) {

but php_stream_is_filtered is just a macro that isn't expecting stream
to be null and you get the segfault there because it is trying to
dereference it. We could just add a null check, of course, but I think
the problem is in mysqlnd. mysqlnd_stream_array_to_fd_set() shouldn't be
trying to cast null streams.

I've attached a patch that should check for a NULL stream, it works as follows:

mysqlnd_stream_array_to_fd_set() (&
mysqlnd_stream_array_from_fd_set()) calls the get_stream method, which
may return NULL, previously it was directly passed to
php_stream_cast(), and not checked prior to that.

However, I did not look into the mysqli_poll function, which may not
properly set a stream or something in that way, so this patch should
be just getting rid of the noise. I'm saying "should" as I did not
have the time to configure a build env from where I currently am
located as well as I'm rusty =(

Patch is attached.

--
regards,

Kalle Sommer Nielsen
kalle@php.net

Hi Rasmus,

Hey Johannes, could you take a look at:

https://gist.github.com/anonymous/6143477

You can reproduce in 5.5 with:

sapi/cli/php ext/mysqli/tests/mysqli_poll_kill.php

main/streams/cast.c:306 is:

if (php_stream_is_filtered(stream)) {

but php_stream_is_filtered is just a macro that isn't expecting stream
to be null and you get the segfault there because it is trying to
dereference it. We could just add a null check, of course, but I think
the problem is in mysqlnd. mysqlnd_stream_array_to_fd_set() shouldn't be
trying to cast null streams.

-Rasmus

I just tried the combo PHP 5.5 (git) with MySQL 5.6 (13-dev) without
segfault. What's your setup?

Andrey