-
-
Save cmb69/084933e635c9cdb9be1b94678bda9754 to your computer and use it in GitHub Desktop.
Patch for PHP bug #81740
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From d2466c199feb6ac59f004501d851811e236cb1ef Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Mon, 31 Oct 2022 17:20:23 +0100 | |
Subject: [PATCH] Fix #81740: PDO::quote() may return unquoted string | |
`sqlite3_snprintf()` expects its first parameter to be `int`; we need | |
to avoid overflow. | |
--- | |
ext/pdo_sqlite/sqlite_driver.c | 3 +++ | |
ext/pdo_sqlite/tests/bug81740.phpt | 17 +++++++++++++++++ | |
2 files changed, 20 insertions(+) | |
create mode 100644 ext/pdo_sqlite/tests/bug81740.phpt | |
diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c | |
index 4233ff10ff..5a72a1eda2 100644 | |
--- a/ext/pdo_sqlite/sqlite_driver.c | |
+++ b/ext/pdo_sqlite/sqlite_driver.c | |
@@ -232,6 +232,9 @@ static char *pdo_sqlite_last_insert_id(pdo_dbh_t *dbh, const char *name, size_t | |
/* NB: doesn't handle binary strings... use prepared stmts for that */ | |
static int sqlite_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unquotedlen, char **quoted, size_t *quotedlen, enum pdo_param_type paramtype ) | |
{ | |
+ if (unquotedlen > (INT_MAX - 3) / 2) { | |
+ return 0; | |
+ } | |
*quoted = safe_emalloc(2, unquotedlen, 3); | |
sqlite3_snprintf(2*unquotedlen + 3, *quoted, "'%q'", unquoted); | |
*quotedlen = strlen(*quoted); | |
diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt | |
new file mode 100644 | |
index 0000000000..99fb07c304 | |
--- /dev/null | |
+++ b/ext/pdo_sqlite/tests/bug81740.phpt | |
@@ -0,0 +1,17 @@ | |
+--TEST-- | |
+Bug #81740 (PDO::quote() may return unquoted string) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('pdo_sqlite')) print 'skip not loaded'; | |
+if (getenv("SKIP_SLOW_TESTS")) die("skip slow test"); | |
+?> | |
+--INI-- | |
+memory_limit=-1 | |
+--FILE-- | |
+<?php | |
+$pdo = new PDO("sqlite::memory:"); | |
+$string = str_repeat("a", 0x80000000); | |
+var_dump($pdo->quote($string)); | |
+?> | |
+--EXPECT-- | |
+bool(false) | |
-- | |
2.38.1.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment