Fixed bug #44189 (PDO setAttribute() does not properly validate values for

native numeric options)

1 files changed, 14 insertions, 0 deletions

diff --git a/ext/pdo/pdo_dbh.c b/ext/pdo/pdo_dbh.c
index 4177d6441a..65a5735d2c 100755
--- a/ext/pdo/pdo_dbh.c
+++ b/ext/pdo/pdo_dbh.c
@@ -669,8 +669,17 @@ static PHP_METHOD(PDO, rollBack)
 
 static int pdo_dbh_attribute_set(pdo_dbh_t *dbh, long attr, zval *value TSRMLS_DC) /* {{{ */
 {
+
+#define PDO_LONG_PARAM_CHECK \
+	if (Z_TYPE_P(value) != IS_LONG && Z_TYPE_P(value) != IS_STRING && Z_TYPE_P(value) != IS_BOOL) { \
+		pdo_raise_impl_error(dbh, NULL, "HY000", "attribute value must be an integer" TSRMLS_CC); \
+		PDO_HANDLE_DBH_ERR(); \
+		return FAILURE; \
+	} \
+
 	switch (attr) {
 		case PDO_ATTR_ERRMODE:
+			PDO_LONG_PARAM_CHECK;
 			convert_to_long(value);
 			switch (Z_LVAL_P(value)) {
 				case PDO_ERRMODE_SILENT:
@@ -686,6 +695,7 @@ static int pdo_dbh_attribute_set(pdo_dbh_t *dbh, long attr, zval *value TSRMLS_D
 			return FAILURE;
 
 		case PDO_ATTR_CASE:
+			PDO_LONG_PARAM_CHECK;
 			convert_to_long(value);
 			switch (Z_LVAL_P(value)) {
 				case PDO_CASE_NATURAL:
@@ -701,6 +711,7 @@ static int pdo_dbh_attribute_set(pdo_dbh_t *dbh, long attr, zval *value TSRMLS_D
 			return FAILURE;
 
 		case PDO_ATTR_ORACLE_NULLS:
+			PDO_LONG_PARAM_CHECK;
 			convert_to_long(value);
 			dbh->oracle_nulls = Z_LVAL_P(value);
 			return SUCCESS;
@@ -714,6 +725,8 @@ static int pdo_dbh_attribute_set(pdo_dbh_t *dbh, long attr, zval *value TSRMLS_D
 						return FAILURE;
 					}
 				}
+			} else {
+				PDO_LONG_PARAM_CHECK;
 			}
 			convert_to_long(value);
 			if (Z_LVAL_P(value) == PDO_FETCH_USE_DEFAULT) {
@@ -724,6 +737,7 @@ static int pdo_dbh_attribute_set(pdo_dbh_t *dbh, long attr, zval *value TSRMLS_D
 			return SUCCESS;
 
 		case PDO_ATTR_STRINGIFY_FETCHES:
+			PDO_LONG_PARAM_CHECK;
 			convert_to_long(value);
 			dbh->stringify = Z_LVAL_P(value) ? 1 : 0;
 			return SUCCESS;