segmentation faults with mod_vhost_dbd

[GoogleCodeExporter]

When I use mod_vhost_dbd-1.0.4 with mysql-5.0.60, apr-1.2.11,
apr-util-1.2.10, and apache-2.2.9 on Linux, the server reproducibly exits
with segmentation faults.

This patch solves the problem:
--- mod_vhost_dbd.c.orig    2008-06-24 21:59:56.000000000 +0200
+++ mod_vhost_dbd.c 2008-06-24 22:00:30.000000000 +0200
@@ -77,8 +77,8 @@
 static int setDocRoot(request_rec *r)
 {
     request_rec *mainreq = r;
-    apr_dbd_results_t *res;
-    apr_dbd_row_t *row;
+    apr_dbd_results_t *res = NULL;
+    apr_dbd_row_t *row = NULL;
     ap_dbd_t *dbd;
     apr_dbd_prepared_t *stmt;
     apr_dbd_prepared_t *prestmt;

I spent only little time on debugging this, but it seems reasonable. The
call chain is setDocRoot -> apr_dbd_pselect -> dbd_mysql_pselect ->
dbd_mysql_pselect_internal. In that function you will find:
if (!*res) {
    *res = apr_pcalloc(pool, sizeof(apr_dbd_results_t));
}
If we do not initialise res, it can have any value. But
dbd_mysql_pselect_internal will only allocate memory for the result set, if
res is zero.

The same is true for setDocRoot -> apr_dbd_get_row -> dbd_mysql_get_row.

Original issue reported on code.google.com by thors...@thvo.de on 24 Aug 2008 at 4:21

[GoogleCodeExporter]

That seems like a bug in the DBD driver.  The call to 
apr_dbd_get_row(dbd->driver,
r->pool, res, &row, -1) should either set the 'row' pointer or return failure.  
It
sounds like it is depending on the existing value of 'row'.

Your proposed change is reasonable for safety, so I will make it.

Original comment by Thomas.D...@gmail.com on 17 May 2009 at 7:09

• Changed state: Accepted

[GoogleCodeExporter]

Original comment by Thomas.D...@gmail.com on 17 May 2009 at 7:32

• Changed state: Fixed