diff options
| author | Xinchen Hui <laruence@php.net> | 2015-07-07 21:37:35 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@php.net> | 2015-07-07 21:37:35 +0800 |
| commit | 26471eb69c3cd9e8162ff3b398d33919d9075191 (patch) | |
| tree | 7ffda25985a415f2dd372e822a5de1fac05cb38f | |
| parent | e41f600365fe9f27727a62a850a4d55416ae856f (diff) | |
| download | php-git-26471eb69c3cd9e8162ff3b398d33919d9075191.tar.gz | |
Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk())
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | ext/sqlite3/sqlite3.c | 12 | ||||
| -rw-r--r-- | ext/sqlite3/tests/bug69972.phpt | 28 |
3 files changed, 42 insertions, 2 deletions
@@ -18,6 +18,10 @@ PHP NEWS . Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()). (Laruence) +- Sqlite3: + . Fixed bug #69972 (Use-after-free vulnerability in + sqlite3SafetyCheckSickOrOk()). (Laruence) + 09 Jul 2015, PHP 5.6.11 - Core: diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c index 58ab5e80a1..16319a7341 100644 --- a/ext/sqlite3/sqlite3.c +++ b/ext/sqlite3/sqlite3.c @@ -287,7 +287,11 @@ PHP_METHOD(sqlite3, lastErrorCode) return; } - RETURN_LONG(sqlite3_errcode(db_obj->db)); + if (db_obj->initialised) { + RETURN_LONG(sqlite3_errcode(db_obj->db)); + } else { + RETURN_LONG(0); + } } /* }}} */ @@ -305,7 +309,11 @@ PHP_METHOD(sqlite3, lastErrorMsg) return; } - RETVAL_STRING((char *)sqlite3_errmsg(db_obj->db), 1); + if (db_obj->initialised) { + RETURN_STRING((char *)sqlite3_errmsg(db_obj->db), 1); + } else { + RETURN_EMPTY_STRING(); + } } /* }}} */ diff --git a/ext/sqlite3/tests/bug69972.phpt b/ext/sqlite3/tests/bug69972.phpt new file mode 100644 index 0000000000..539ebd2696 --- /dev/null +++ b/ext/sqlite3/tests/bug69972.phpt @@ -0,0 +1,28 @@ +--TEST-- +Bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()) +--SKIPIF-- +<?php +if (!extension_loaded('sqlite3')) die('skip'); +?> +--FILE-- +<?php +$db = new SQLite3(':memory:'); +echo "SELECTING from invalid table\n"; +$result = $db->query("SELECT * FROM non_existent_table"); +echo "Closing database\n"; +var_dump($db->close()); +echo "Done\n"; + +// Trigger the use-after-free +echo "Error Code: " . $db->lastErrorCode() . "\n"; +echo "Error Msg: " . $db->lastErrorMsg() . "\n"; +?> +--EXPECTF-- +SELECTING from invalid table + +Warning: SQLite3::query(): Unable to prepare statement: 1, no such table: non_existent_table in %sbug69972.php on line %d +Closing database +bool(true) +Done +Error Code: 0 +Error Msg: |