diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-04-05 22:45:16 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-04-05 22:45:16 -0700 |
| commit | ff740f16f9e544fe20265070ae82686b8ca3da66 (patch) | |
| tree | 025a4c5151de5c69c940bbfa594f5f4cfefa929a | |
| parent | 8976e8d9f05dbfae389934598e4ed473a48a9458 (diff) | |
| parent | 2a81733c87d9d62becc46add120c41c4818396ca (diff) | |
| download | php-git-ff740f16f9e544fe20265070ae82686b8ca3da66.tar.gz | |
Merge branch 'PHP-5.6'
* PHP-5.6:
Fix bug #66550 (SQLite prepared statement use-after-free)
Conflicts:
ext/sqlite3/sqlite3.c
| -rw-r--r-- | ext/sqlite3/sqlite3.c | 10 | ||||
| -rw-r--r-- | ext/sqlite3/tests/bug66550.phpt | 23 |
2 files changed, 32 insertions, 1 deletions
diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c index f1e759229a..028881f21a 100644 --- a/ext/sqlite3/sqlite3.c +++ b/ext/sqlite3/sqlite3.c @@ -1252,6 +1252,7 @@ PHP_METHOD(sqlite3stmt, paramCount) return; } + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3); SQLITE3_CHECK_INITIALIZED_STMT(stmt_obj->stmt, SQLite3Stmt); RETURN_LONG(sqlite3_bind_parameter_count(stmt_obj->stmt)); @@ -1270,6 +1271,8 @@ PHP_METHOD(sqlite3stmt, close) return; } + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3); + if(stmt_obj->db_obj) { zend_llist_del_element(&(stmt_obj->db_obj->free_list), object, (int (*)(void *, void *)) php_sqlite3_compare_stmt_zval_free); } @@ -1290,6 +1293,7 @@ PHP_METHOD(sqlite3stmt, reset) return; } + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3); SQLITE3_CHECK_INITIALIZED_STMT(stmt_obj->stmt, SQLite3Stmt); if (sqlite3_reset(stmt_obj->stmt) != SQLITE_OK) { @@ -1312,6 +1316,7 @@ PHP_METHOD(sqlite3stmt, clear) return; } + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3); SQLITE3_CHECK_INITIALIZED_STMT(stmt_obj->stmt, SQLite3Stmt); if (sqlite3_clear_bindings(stmt_obj->stmt) != SQLITE_OK) { @@ -1335,6 +1340,7 @@ PHP_METHOD(sqlite3stmt, readOnly) return; } + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3); SQLITE3_CHECK_INITIALIZED_STMT(stmt_obj->stmt, SQLite3Stmt); #if SQLITE_VERSION_NUMBER >= 3007004 @@ -1410,6 +1416,7 @@ PHP_METHOD(sqlite3stmt, bindParam) } } + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3); SQLITE3_CHECK_INITIALIZED_STMT(stmt_obj->stmt, SQLite3Stmt); ZVAL_COPY(¶m.parameter, parameter); @@ -1444,6 +1451,7 @@ PHP_METHOD(sqlite3stmt, bindValue) } } + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3); SQLITE3_CHECK_INITIALIZED_STMT(stmt_obj->stmt, SQLite3Stmt); ZVAL_COPY(¶m.parameter, parameter); @@ -1475,7 +1483,7 @@ PHP_METHOD(sqlite3stmt, execute) return; } - SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3) + SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3); if (stmt_obj->bound_params) { ZEND_HASH_FOREACH_PTR(stmt_obj->bound_params, param) { diff --git a/ext/sqlite3/tests/bug66550.phpt b/ext/sqlite3/tests/bug66550.phpt new file mode 100644 index 0000000000..a44515b0d9 --- /dev/null +++ b/ext/sqlite3/tests/bug66550.phpt @@ -0,0 +1,23 @@ +--TEST-- +Bug #66550 (SQLite prepared statement use-after-free) +--SKIPIF-- +<?php +if (!extension_loaded('sqlite3')) die('skip'); +?> +--FILE-- +<?php + +$db = new SQLite3(':memory:'); + +$db->exec('CREATE TABLE foo (id INTEGER, bar STRING)'); + +$stmt = $db->prepare('SELECT bar FROM foo WHERE id=:id'); +// Close the database connection and free the internal sqlite3_stmt object +$db->close(); +// Access the sqlite3_stmt object via the php_sqlite3_stmt container +$stmt->reset(); +?> +==DONE== +--EXPECTF-- +Warning: SQLite3Stmt::reset(): The SQLite3 object has not been correctly initialised in %s +==DONE== |