::getColumnMeta() on unexecuted statement segfaults

[YuanchengJiang]

Description

The following code:

<?php
$db = new PDO('sqlite::memory:');
$x= $db->prepare('select :a, :b, ?');
$fusion = $x;
$pdo = new PDO('sqlite::memory:', null, null, [
]);
$stmt = $pdo->query('select 1 where 0');
if ($stmt->columnCount()) {
var_dump($fusion->getColumnMeta(0));
}

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/ext/pdo/pdo_stmt.c:1590:9: runtime error: applying zero offset to null pointer
    #0 0x202607d in zim_PDOStatement_getColumnMeta /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/pdo/pdo_stmt.c:1590:9
    #1 0x42845f7 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:2037:4
    #2 0x3fa31b7 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #3 0x3fa543c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
    #4 0x4d460b9 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1943:3
    #5 0x353e4ca in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2584:13
    #6 0x353f608 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2624:9
    #7 0x4d5aecb in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:948:5
    #8 0x4d553af in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1348:18
    #9 0x7f489e884d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x7f489e884e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #11 0x605954 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605954)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/pdo/pdo_stmt.c:1590:9 in 

To reproduce:

./php-src/sapi/cli/php  ./test.php

Commit:

commit ed9c283589df568a90f2028aa085627ceeda2c6e
Author: Christoph M. Becker <cmbecker69@gmx.de>
Date:   Sat Feb 15 18:26:11 2025 +0100

    Fail build_task.bat if main nmake failed (GH-17820)
    
    Otherwise we may not notice Windows CI build failures.
    
    Fixes GH-17818.

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

ed9c283

Operating System

No response

[cmb69]

Simplified reproducer:

$db = new PDO('sqlite::memory:');
$x = $db->prepare('select :a, :b, ?');
var_dump($x->getColumnMeta(0));

Apparerently, we do not catch that the statement is not yet executed.

[cmb69]

Possible fix:

 ext/pdo_sqlite/sqlite_statement.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/pdo_sqlite/sqlite_statement.c b/ext/pdo_sqlite/sqlite_statement.c
index 29309ac5f1f..c0e32745023 100644
--- a/ext/pdo_sqlite/sqlite_statement.c
+++ b/ext/pdo_sqlite/sqlite_statement.c
@@ -305,7 +305,7 @@ static int pdo_sqlite_stmt_col_meta(pdo_stmt_t *stmt, zend_long colno, zval *ret
 	const char *str;
 	zval flags;
 
-	if (!S->stmt) {
+	if (!S->stmt || !stmt->executed) {
 		return FAILURE;
 	}
 	if(colno >= sqlite3_column_count(S->stmt)) {

[nielsdos]

@cmb69 That's also what pdo_mysql seems to do and it makes sense to me. Feel free to make a PR 🙂