Uploaded image for project: 'PHP Driver: Extension'
  1. PHP Driver: Extension
  2. PHPC-430

Query constructor may corrupt incoming options

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Blocker - P1 Blocker - P1
    • 1.0.0-beta2
    • Affects Version/s: 1.0.0-beta1
    • Component/s: None
    • None

      $filter = [];
      $options = ['sort' => array()];
      $query = new MongoDB\Driver\Query($filter, $options);
      var_dump($options);
      

      The sort option is changed to a stdClass instance.

      $options = ['sort' => array()];
      $filter = [];
      $options2 = $options;
      $options2["cursorFlags"] = 0;
      $query = new MongoDB\Driver\Query($filter, $options2);
      $options["cursorFlags"] = 0;
      var_dump($options);
      

      The above results in:

      [Mon Sep 21 16:51:11 2015]  Script:  '/home/jmikola/workspace/mongodb/phpc/segfault/exception1.php'
      /home/jmikola/workspace/mongodb/phpc/php_phongo.c(382) :  Freeing 0x7F97DBBEFD68 (32 bytes), script=/home/jmikola/workspace/mongodb/phpc/segfault/exception1.php
      === Total 1 memory leaks detected ===
      

      Dumping the sort option from exception1.php after a second Query construction results in its value being displayed as "&UNKNOWN:0", which indicates some corruption.

      Lastly, it's possible to invoke a segfault by executing one of these queries (see segfault.php).

        1. segfault.php
          2 kB
        2. exception1.php
          1 kB

            Assignee:
            jmikola@mongodb.com Jeremy Mikola
            Reporter:
            jmikola@mongodb.com Jeremy Mikola
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: