Core Dump when passing projection with an empty key #536
Description
Description
As our data systems are dynamic, a bug allowed a referenced field to become an empty string. This normally wouldn't be a problem, but we found that when we passed an empty key => 1 to a projection, PHP core dumped.
Our projection was an array of key value pairs, 57 of them. The first two were fine, the 3rd one was
array(
'Field1' => 1,
'Field2' => 1,
'' => 1,
'Field4' => 1,
[...]
);This caused our find() query to core dump PHP entirely.
The output from GDB for this issue was:
#0 0x000000080965c558 in bson_destroy (bson=0x80d07b990) at /tmp/pear/mongodb/src/libbson/src/bson/bson.c:2181
2181 /tmp/pear/mongodb/src/libbson/src/bson/bson.c: No such file or directory.
in /tmp/pear/mongodb/src/libbson/src/bson/bson.c
[New Thread 802806400 (LWP 100894/<unknown>)]
(gdb) bt
#0 0x000000080965c558 in bson_destroy (bson=0x80d07b990) at /tmp/pear/mongodb/src/libbson/src/bson/bson.c:2181
#1 0x0000000809684145 in _mongoc_cursor_destroy (cursor=0x80d07b900) at /tmp/pear/mongodb/src/libmongoc/src/mongoc/mongoc-cursor.c:522
#2 0x0000000809683fbd in mongoc_cursor_destroy (cursor=<value optimized out>) at /tmp/pear/mongodb/src/libmongoc/src/mongoc/mongoc-cursor.c:479
#3 0x00000008096afda5 in phongo_execute_query (manager=<value optimized out>, namespace=<value optimized out>, zquery=<value optimized out>, zreadPreference=<value optimized out>, server_id=<value optimized out>, return_value=<value optimized out>, return_value_used=<value optimized out>)
at /tmp/pear/mongodb/php_phongo.c:565
#4 0x00000008096c0ede in zim_Server_executeQuery (ht=<value optimized out>, return_value=<value optimized out>, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>) at /tmp/pear/mongodb/src/MongoDB/Server.c:104
#5 0x00000000005f13b4 in zend_do_fcall_common_helper_SPEC ()
#6 0x00000000005b2538 in execute_ex ()
#7 0x000000000058a4d3 in zend_execute_scripts ()
#8 0x0000000000531ee3 in php_execute_script ()
#9 0x000000000060d8f3 in do_cli ()
#10 0x000000000060c74f in main ()
The mongodb.so also dumped core, but utterly unuseful:
Core was generated by `mongodb.so'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000001050e44 in ?? ()
(gdb) bt
#0 0x0000000001050e44 in ?? ()
#1 0x0000000000000000 in ?? ()
Environment
FreeBSD 10.2-RELEASE
MongoDB PECL Library 1.2.5 (it occurred on 1.1.9 too)
PHP 5.6.27
MongoDB PHP Library 1.1.0 and 1.1.2
MongoDB support => enabled
MongoDB extension version => 1.2.5
MongoDB extension stability => stable
libbson bundled version => 1.5.4
libmongoc bundled version => 1.5.4
libmongoc SSL => enabled
libmongoc SSL library => OpenSSL
libmongoc crypto => enabled
libmongoc crypto library => libcrypto
libmongoc crypto system profile => disabled
libmongoc SASL => enabled
Test Script
Run this script on the CLI.
<?php
// Create a collection named dumptest in the test db
// Put three items in there, three keys each
// { Field1:1, Field2:2, Field3:3 }
// Then execute, receive core dump
require_once 'vendor/autoload.php';
$db = new MongoDB\Driver\Manager("mongodb://127.0.0.1/test");
$collection = new \MongoDB\Collection($db, 'test', 'dumptest');
$projection = [
'Field1' => 1,
'Field2' => 1,
'' => 1
];
$colIter = $collection->find([], [ 'projection' => $projection ]);
?>Expected and Actual Behavior
Expected: MongoDB Library or Driver would kindly throw a Catchable hissy fit letting me know that there was an unexpected projection. The same query on the MongoDB CLI does NOT cause problems.
Actual: Repeatable PHP core dump.
Should cross-post this to the library project? They could handle it, but since it dumped core, that's a driver issue.