diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-04-11 16:56:12 -0700 |
|---|---|---|
| committer | Julien Pauli <jpauli@php.net> | 2015-04-15 10:12:46 +0200 |
| commit | 25cb6f001f3070062c2ffbb955a58bb3052bbf16 (patch) | |
| tree | 5765a341292919cabc4a35aa9afcfc8acbe9501a | |
| parent | b4554a022ee1ad718e372a646c92eddea1d08da4 (diff) | |
| download | php-git-25cb6f001f3070062c2ffbb955a58bb3052bbf16.tar.gz | |
Merge branch 'PHP-5.4.40' into PHP-5.5.24
* PHP-5.4.40:
Additional fix for bug #69324
More fixes for bug #69152
Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions)
Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar)
Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER)
Fix bug #68486 and bug #69218 (segfault in apache2handler with apache 2.4)
Fix bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault)
Fixed bug #68901 (use after free)
Fixed bug #68740 (NULL Pointer Dereference)
Fix bug #66550 (SQLite prepared statement use-after-free)
Better fix for #68601 for perf https://bitbucket.org/libgd/gd-libgd/commits/81e9a993f2893d651d225646378e3fd1b7465467
Fix bug #68601 buffer read overflow in gd_gif_in.c
Revert "Merge branch 'PHP-5.4' of https://git.php.net/repository/php-src into PHP-5.4"
Fixed bug #69293
Add ZEND_ARG_CALLABLE_INFO to allow internal function to type hint against callable.
| -rw-r--r-- | ext/ereg/regex/regcomp.c | 4 | ||||
| -rw-r--r-- | ext/sqlite3/sqlite3.c | 16 | ||||
| -rw-r--r-- | ext/sqlite3/tests/bug66550.phpt | 23 |
3 files changed, 43 insertions, 0 deletions
diff --git a/ext/ereg/regex/regcomp.c b/ext/ereg/regex/regcomp.c index f4bfc1c167..c2223d7dbe 100644 --- a/ext/ereg/regex/regcomp.c +++ b/ext/ereg/regex/regcomp.c @@ -1284,6 +1284,10 @@ int c; register int ncols = (g->ncsets+(CHAR_BIT-1)) / CHAR_BIT; register unsigned uc = (unsigned char)c; + if (!g->setbits) { + return(0); + } + for (i = 0, col = g->setbits; i < ncols; i++, col += g->csetsize) if (col[uc] != 0) return(1); diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c index 8178d4f3b2..ce3af65fcb 100644 --- a/ext/sqlite3/sqlite3.c +++ b/ext/sqlite3/sqlite3.c @@ -1279,6 +1279,8 @@ PHP_METHOD(sqlite3stmt, paramCount) php_sqlite3_stmt *stmt_obj; zval *object = getThis(); stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) if (zend_parse_parameters_none() == FAILURE) { return; @@ -1295,6 +1297,8 @@ PHP_METHOD(sqlite3stmt, close) php_sqlite3_stmt *stmt_obj; zval *object = getThis(); stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) if (zend_parse_parameters_none() == FAILURE) { return; @@ -1313,6 +1317,8 @@ PHP_METHOD(sqlite3stmt, reset) php_sqlite3_stmt *stmt_obj; zval *object = getThis(); stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) if (zend_parse_parameters_none() == FAILURE) { return; @@ -1333,6 +1339,8 @@ PHP_METHOD(sqlite3stmt, clear) php_sqlite3_stmt *stmt_obj; zval *object = getThis(); stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) if (zend_parse_parameters_none() == FAILURE) { return; @@ -1354,6 +1362,8 @@ PHP_METHOD(sqlite3stmt, readOnly) php_sqlite3_stmt *stmt_obj; zval *object = getThis(); stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) if (zend_parse_parameters_none() == FAILURE) { return; @@ -1421,6 +1431,8 @@ PHP_METHOD(sqlite3stmt, bindParam) zval *object = getThis(); struct php_sqlite3_bound_param param = {0}; stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) param.param_number = -1; param.type = SQLITE3_TEXT; @@ -1452,6 +1464,8 @@ PHP_METHOD(sqlite3stmt, bindValue) zval *object = getThis(); struct php_sqlite3_bound_param param = {0}; stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) param.param_number = -1; param.type = SQLITE3_TEXT; @@ -1487,6 +1501,8 @@ PHP_METHOD(sqlite3stmt, execute) stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) + if (zend_parse_parameters_none() == FAILURE) { return; } diff --git a/ext/sqlite3/tests/bug66550.phpt b/ext/sqlite3/tests/bug66550.phpt new file mode 100644 index 0000000000..a44515b0d9 --- /dev/null +++ b/ext/sqlite3/tests/bug66550.phpt @@ -0,0 +1,23 @@ +--TEST-- +Bug #66550 (SQLite prepared statement use-after-free) +--SKIPIF-- +<?php +if (!extension_loaded('sqlite3')) die('skip'); +?> +--FILE-- +<?php + +$db = new SQLite3(':memory:'); + +$db->exec('CREATE TABLE foo (id INTEGER, bar STRING)'); + +$stmt = $db->prepare('SELECT bar FROM foo WHERE id=:id'); +// Close the database connection and free the internal sqlite3_stmt object +$db->close(); +// Access the sqlite3_stmt object via the php_sqlite3_stmt container +$stmt->reset(); +?> +==DONE== +--EXPECTF-- +Warning: SQLite3Stmt::reset(): The SQLite3 object has not been correctly initialised in %s +==DONE== |