Fixed Bug #64949 (Buffer overflow in _pdo_pgsql_error)

There is a lot of call such as: pdo_pgsql_error(dbh, PGRES_FATAL_ERROR, "Copy command failed"); Where the 3rd paramater is a error message string where a sqlstate (5 chars) is expected. This cause a segfault in copy_from.phpt and copy_to.phpt. This is only a sanity check to avoid buffer overflow, but obviously this calls need to be fixed (using NULL or a correct sqlstate).
author: Remi Collet <remi@php.net> 2013-05-31 08:39:32 +0200
committer: Remi Collet <remi@php.net> 2013-05-31 08:39:32 +0200
commit: 1c623e3b07128e78362911ff5754e7eee57fa8bb (patch)
tree: 7681d1d0016601db2ee70dc3977f0e97a316c47c /ext/pdo_pgsql/pgsql_driver.c
parent: 13e5c97ffd75821c01bbec79c1d2233c50d36b0e (diff)
download: php-git-1c623e3b07128e78362911ff5754e7eee57fa8bb.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/ext/pdo_pgsql/pgsql_driver.c b/ext/pdo_pgsql/pgsql_driver.c
index 645fd36e84..55f441808e 100644
--- a/ext/pdo_pgsql/pgsql_driver.c
+++ b/ext/pdo_pgsql/pgsql_driver.c
@@ -76,7 +76,7 @@ int _pdo_pgsql_error(pdo_dbh_t *dbh, pdo_stmt_t *stmt, int errcode, const char *
 		einfo->errmsg = NULL;
 	}
 
-	if (sqlstate == NULL) {
+	if (sqlstate == NULL || strlen(sqlstate) >= sizeof(pdo_error_type)) {
 		strcpy(*pdo_err, "HY000");
 	}
 	else {
author	Remi Collet <remi@php.net>	2013-05-31 08:39:32 +0200
committer	Remi Collet <remi@php.net>	2013-05-31 08:39:32 +0200
commit	1c623e3b07128e78362911ff5754e7eee57fa8bb (patch)
tree	7681d1d0016601db2ee70dc3977f0e97a316c47c /ext/pdo_pgsql/pgsql_driver.c
parent	13e5c97ffd75821c01bbec79c1d2233c50d36b0e (diff)
download	php-git-1c623e3b07128e78362911ff5754e7eee57fa8bb.tar.gz