diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-04-05 22:38:03 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-04-05 22:38:20 -0700 |
| commit | 2a81733c87d9d62becc46add120c41c4818396ca (patch) | |
| tree | 23030dfd05280bd4ad45c75f3d2871cb3a933998 | |
| parent | c167029eb6d22563ddc2a4b32588e25d8ad74ac4 (diff) | |
| parent | 66b853d4261a813287ab5e379392e418bf715e82 (diff) | |
| download | php-git-2a81733c87d9d62becc46add120c41c4818396ca.tar.gz | |
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5:
Fix bug #66550 (SQLite prepared statement use-after-free)
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/sqlite3/sqlite3.c | 16 | ||||
| -rw-r--r-- | ext/sqlite3/tests/bug66550.phpt | 23 |
3 files changed, 42 insertions, 0 deletions
@@ -6,6 +6,9 @@ PHP NEWS . Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0). (Anatol) +- Sqlite3: + . Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan) + 16 Apr 2015, PHP 5.6.8 - Core: diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c index bec51cc9f8..58ab5e80a1 100644 --- a/ext/sqlite3/sqlite3.c +++ b/ext/sqlite3/sqlite3.c @@ -1287,6 +1287,8 @@ PHP_METHOD(sqlite3stmt, paramCount) php_sqlite3_stmt *stmt_obj; zval *object = getThis(); stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) if (zend_parse_parameters_none() == FAILURE) { return; @@ -1305,6 +1307,8 @@ PHP_METHOD(sqlite3stmt, close) php_sqlite3_stmt *stmt_obj; zval *object = getThis(); stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) if (zend_parse_parameters_none() == FAILURE) { return; @@ -1325,6 +1329,8 @@ PHP_METHOD(sqlite3stmt, reset) php_sqlite3_stmt *stmt_obj; zval *object = getThis(); stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) if (zend_parse_parameters_none() == FAILURE) { return; @@ -1347,6 +1353,8 @@ PHP_METHOD(sqlite3stmt, clear) php_sqlite3_stmt *stmt_obj; zval *object = getThis(); stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) if (zend_parse_parameters_none() == FAILURE) { return; @@ -1370,6 +1378,8 @@ PHP_METHOD(sqlite3stmt, readOnly) php_sqlite3_stmt *stmt_obj; zval *object = getThis(); stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) if (zend_parse_parameters_none() == FAILURE) { return; @@ -1439,6 +1449,8 @@ PHP_METHOD(sqlite3stmt, bindParam) zval *object = getThis(); struct php_sqlite3_bound_param param = {0}; stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) param.param_number = -1; param.type = SQLITE3_TEXT; @@ -1472,6 +1484,8 @@ PHP_METHOD(sqlite3stmt, bindValue) zval *object = getThis(); struct php_sqlite3_bound_param param = {0}; stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) param.param_number = -1; param.type = SQLITE3_TEXT; @@ -1509,6 +1523,8 @@ PHP_METHOD(sqlite3stmt, execute) stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC); + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) + if (zend_parse_parameters_none() == FAILURE) { return; } diff --git a/ext/sqlite3/tests/bug66550.phpt b/ext/sqlite3/tests/bug66550.phpt new file mode 100644 index 0000000000..a44515b0d9 --- /dev/null +++ b/ext/sqlite3/tests/bug66550.phpt @@ -0,0 +1,23 @@ +--TEST-- +Bug #66550 (SQLite prepared statement use-after-free) +--SKIPIF-- +<?php +if (!extension_loaded('sqlite3')) die('skip'); +?> +--FILE-- +<?php + +$db = new SQLite3(':memory:'); + +$db->exec('CREATE TABLE foo (id INTEGER, bar STRING)'); + +$stmt = $db->prepare('SELECT bar FROM foo WHERE id=:id'); +// Close the database connection and free the internal sqlite3_stmt object +$db->close(); +// Access the sqlite3_stmt object via the php_sqlite3_stmt container +$stmt->reset(); +?> +==DONE== +--EXPECTF-- +Warning: SQLite3Stmt::reset(): The SQLite3 object has not been correctly initialised in %s +==DONE== |