diff options
| -rw-r--r-- | ext/oci8/oci8_statement.c | 31 | ||||
| -rw-r--r-- | ext/oci8/package.xml | 2 | ||||
| -rw-r--r-- | ext/oci8/tests/bug74625.phpt | 65 |
3 files changed, 83 insertions, 15 deletions
diff --git a/ext/oci8/oci8_statement.c b/ext/oci8/oci8_statement.c index 934673dd7c..7639340c12 100644 --- a/ext/oci8/oci8_statement.c +++ b/ext/oci8/oci8_statement.c @@ -38,6 +38,13 @@ #include "php_oci8.h" #include "php_oci8_int.h" +#if defined(OCI_MAJOR_VERSION) && (OCI_MAJOR_VERSION > 10) && \ + (defined(__x86_64__) || defined(__LP64__) || defined(_LP64) || defined(_WIN64)) +typedef ub8 oci_phpsized_int; +#else +typedef ub4 oci_phpsized_int; +#endif + /* {{{ php_oci_statement_create() Create statemend handle and allocate necessary resources */ php_oci_statement *php_oci_statement_create(php_oci_connection *connection, char *query, int query_len) @@ -997,10 +1004,10 @@ int php_oci_bind_post_exec(zval *data) for (i = 0; i < (int) bind->array.current_length; i++) { if ((i < (int) bind->array.old_length) && (entry = zend_hash_get_current_data(hash)) != NULL) { zval_dtor(entry); - ZVAL_LONG(entry, ((ub4 *)(bind->array.elements))[i]); + ZVAL_LONG(entry, ((oci_phpsized_int *)(bind->array.elements))[i]); zend_hash_move_forward(hash); } else { - add_next_index_long(bind->zval, ((ub4 *)(bind->array.elements))[i]); + add_next_index_long(bind->zval, ((oci_phpsized_int *)(bind->array.elements))[i]); } } break; @@ -1153,14 +1160,8 @@ int php_oci_bind_by_name(php_oci_statement *statement, char *name, size_t name_l return 1; } convert_to_long(param); -#if defined(OCI_MAJOR_VERSION) && (OCI_MAJOR_VERSION > 10) && \ - (defined(__x86_64__) || defined(__LP64__) || defined(_LP64) || defined(_WIN64)) - bind_data = (ub8 *)&Z_LVAL_P(param); - value_sz = sizeof(ub8); -#else - bind_data = (ub4 *)&Z_LVAL_P(param); - value_sz = sizeof(ub4); -#endif + bind_data = (oci_phpsized_int *)&Z_LVAL_P(param); + value_sz = sizeof(oci_phpsized_int); mode = OCI_DEFAULT; break; @@ -1783,10 +1784,10 @@ php_oci_bind *php_oci_bind_array_helper_number(zval *var, zend_long max_table_le bind = emalloc(sizeof(php_oci_bind)); ZVAL_UNDEF(&bind->parameter); - bind->array.elements = (ub4 *)safe_emalloc(max_table_length, sizeof(ub4), 0); + bind->array.elements = (oci_phpsized_int *)safe_emalloc(max_table_length, sizeof(oci_phpsized_int), 0); bind->array.current_length = zend_hash_num_elements(Z_ARRVAL_P(var)); bind->array.old_length = bind->array.current_length; - bind->array.max_length = sizeof(ub4); + bind->array.max_length = sizeof(oci_phpsized_int); bind->array.element_lengths = safe_emalloc(max_table_length, sizeof(ub2), 0); memset(bind->array.element_lengths, 0, max_table_length * sizeof(ub2)); bind->array.indicators = NULL; @@ -1794,14 +1795,14 @@ php_oci_bind *php_oci_bind_array_helper_number(zval *var, zend_long max_table_le zend_hash_internal_pointer_reset(hash); for (i = 0; i < max_table_length; i++) { if (i < bind->array.current_length) { - bind->array.element_lengths[i] = sizeof(ub4); + bind->array.element_lengths[i] = sizeof(oci_phpsized_int); } if ((i < bind->array.current_length) && (entry = zend_hash_get_current_data(hash)) != NULL) { convert_to_long_ex(entry); - ((ub4 *)bind->array.elements)[i] = (ub4) Z_LVAL_P(entry); + ((oci_phpsized_int *)bind->array.elements)[i] = (oci_phpsized_int) Z_LVAL_P(entry); zend_hash_move_forward(hash); } else { - ((ub4 *)bind->array.elements)[i] = 0; + ((oci_phpsized_int *)bind->array.elements)[i] = 0; } } zend_hash_internal_pointer_reset(hash); diff --git a/ext/oci8/package.xml b/ext/oci8/package.xml index 0522e35331..15109c2bf3 100644 --- a/ext/oci8/package.xml +++ b/ext/oci8/package.xml @@ -61,6 +61,7 @@ Interoperability Support" (ID 207303.1) for details. <notes> This version is for PHP 7 only. Added TAF callback support (PR #2459, KoenigsKind) +Fixed bug #74625 (Integer overflow in oci_bind_array_by_name). (Ingmar Runge) </notes> <contents> <dir name="/"> @@ -164,6 +165,7 @@ Added TAF callback support (PR #2459, KoenigsKind) <file name="bug71422.phpt" role="test" /> <file name="bug71600.phpt" role="test" /> <file name="bug72524.phpt" role="test" /> + <file name="bug74625.phpt" role="test" /> <file name="clientversion.phpt" role="test" /> <file name="close.phpt" role="test" /> <file name="coll_001.phpt" role="test" /> diff --git a/ext/oci8/tests/bug74625.phpt b/ext/oci8/tests/bug74625.phpt new file mode 100644 index 0000000000..df9440e42a --- /dev/null +++ b/ext/oci8/tests/bug74625.phpt @@ -0,0 +1,65 @@ +--TEST-- +Bug #74625 (Integer overflow in oci_bind_array_by_name) +--SKIPIF-- +<?php +if (!extension_loaded('oci8')) die ("skip no oci8 extension"); +?> +--FILE-- +<?php +require(dirname(__FILE__).'/connect.inc'); + +// Initialization + +$stmtarray = array( + "CREATE TABLE bug74625_tab (NAME NUMBER)", + "CREATE OR REPLACE PACKAGE PKG74625 AS + TYPE ARRTYPE IS TABLE OF NUMBER INDEX BY BINARY_INTEGER; + PROCEDURE iobind(c1 IN OUT ARRTYPE); + END PKG74625;", + "CREATE OR REPLACE PACKAGE BODY PKG74625 AS + PROCEDURE iobind(c1 IN OUT ARRTYPE) IS + BEGIN + FOR i IN 1..5 LOOP + c1(i) := c1(i) * 2; + END LOOP; + END iobind; + END PKG74625;" +); + +oci8_test_sql_execute($c, $stmtarray); + +$statement = oci_parse($c, "BEGIN pkg74625.iobind(:c1); END;"); + +$array = Array(-1,-2,-3,-4,-5); + +oci_bind_array_by_name($statement, ":c1", $array, 5, -1, SQLT_INT); + +oci_execute($statement); + +var_dump($array); + +// Cleanup +$stmtarray = array( + "DROP TABLE bug74625_tab", + "DROP PACKAGE PKG74625" +); + +oci8_test_sql_execute($c, $stmtarray); + +?> +===DONE=== +<?php exit(0); ?> +--EXPECTF-- +array(5) { + [0]=> + int(-2) + [1]=> + int(-4) + [2]=> + int(-6) + [3]=> + int(-8) + [4]=> + int(-10) +} +===DONE=== |