Fixed possible crash inside sqlite_escape_string() and

sqlite_udf_encode_binary().

2 files changed, 15 insertions, 2 deletions

diff --git a/ext/sqlite/sqlite.c b/ext/sqlite/sqlite.c
index d923045125..a16603b578 100644
--- a/ext/sqlite/sqlite.c
+++ b/ext/sqlite/sqlite.c
@@ -2604,7 +2604,7 @@ PHP_FUNCTION(sqlite_escape_string)
 		/* binary string */
 		int enclen;
 		
-		ret = emalloc( 1 + ((256 * stringlen + 1262) / 253) );
+		ret = emalloc( 1 + 5 + stringlen * (256 / 253) );
 		ret[0] = '\x01';
 		enclen = php_sqlite_encode_binary(string, stringlen, ret+1);
 		RETVAL_STRINGL(ret, enclen+1, 0);
@@ -2834,7 +2834,7 @@ PHP_FUNCTION(sqlite_udf_encode_binary)
 		int enclen;
 		char *ret;
 		
-		ret = emalloc( 1 + ((256 * datalen + 1262) / 253) );
+		ret = emalloc( 1 + 5 + datalen * (256 / 253) );
 		ret[0] = '\x01';
 		enclen = php_sqlite_encode_binary(data, datalen, ret+1);
 		RETVAL_STRINGL(ret, enclen+1, 0);
diff --git a/ext/sqlite/tests/sqlite_027.phpt b/ext/sqlite/tests/sqlite_027.phpt
new file mode 100755
index 0000000000..52c17b309b
--- /dev/null
+++ b/ext/sqlite/tests/sqlite_027.phpt
@@ -0,0 +1,13 @@
+--TEST--
+sqlite: crash inside sqlite_escape_string() & sqlite_udf_encode_binary
+--SKIPIF--
+<?php # vim:ft=php
+if (!extension_loaded("sqlite")) print "skip"; ?>
+--FILE--
+<?php
+	var_dump(strlen(sqlite_escape_string(str_repeat("\0", 20000000))));
+	var_dump(strlen(sqlite_udf_encode_binary(str_repeat("\0", 20000000))));
+?>
+--EXPECT--
+int(20000002)
+int(20000002)