summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ext/sqlite3/sqlite3.c10
-rw-r--r--ext/sqlite3/tests/bug66550.phpt23
2 files changed, 32 insertions, 1 deletions
diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
index f1e759229a..028881f21a 100644
--- a/ext/sqlite3/sqlite3.c
+++ b/ext/sqlite3/sqlite3.c
@@ -1252,6 +1252,7 @@ PHP_METHOD(sqlite3stmt, paramCount)
return;
}
+ SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3);
SQLITE3_CHECK_INITIALIZED_STMT(stmt_obj->stmt, SQLite3Stmt);
RETURN_LONG(sqlite3_bind_parameter_count(stmt_obj->stmt));
@@ -1270,6 +1271,8 @@ PHP_METHOD(sqlite3stmt, close)
return;
}
+ SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3);
+
if(stmt_obj->db_obj) {
zend_llist_del_element(&(stmt_obj->db_obj->free_list), object, (int (*)(void *, void *)) php_sqlite3_compare_stmt_zval_free);
}
@@ -1290,6 +1293,7 @@ PHP_METHOD(sqlite3stmt, reset)
return;
}
+ SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3);
SQLITE3_CHECK_INITIALIZED_STMT(stmt_obj->stmt, SQLite3Stmt);
if (sqlite3_reset(stmt_obj->stmt) != SQLITE_OK) {
@@ -1312,6 +1316,7 @@ PHP_METHOD(sqlite3stmt, clear)
return;
}
+ SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3);
SQLITE3_CHECK_INITIALIZED_STMT(stmt_obj->stmt, SQLite3Stmt);
if (sqlite3_clear_bindings(stmt_obj->stmt) != SQLITE_OK) {
@@ -1335,6 +1340,7 @@ PHP_METHOD(sqlite3stmt, readOnly)
return;
}
+ SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3);
SQLITE3_CHECK_INITIALIZED_STMT(stmt_obj->stmt, SQLite3Stmt);
#if SQLITE_VERSION_NUMBER >= 3007004
@@ -1410,6 +1416,7 @@ PHP_METHOD(sqlite3stmt, bindParam)
}
}
+ SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3);
SQLITE3_CHECK_INITIALIZED_STMT(stmt_obj->stmt, SQLite3Stmt);
ZVAL_COPY(&param.parameter, parameter);
@@ -1444,6 +1451,7 @@ PHP_METHOD(sqlite3stmt, bindValue)
}
}
+ SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3);
SQLITE3_CHECK_INITIALIZED_STMT(stmt_obj->stmt, SQLite3Stmt);
ZVAL_COPY(&param.parameter, parameter);
@@ -1475,7 +1483,7 @@ PHP_METHOD(sqlite3stmt, execute)
return;
}
- SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
+ SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3);
if (stmt_obj->bound_params) {
ZEND_HASH_FOREACH_PTR(stmt_obj->bound_params, param) {
diff --git a/ext/sqlite3/tests/bug66550.phpt b/ext/sqlite3/tests/bug66550.phpt
new file mode 100644
index 0000000000..a44515b0d9
--- /dev/null
+++ b/ext/sqlite3/tests/bug66550.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #66550 (SQLite prepared statement use-after-free)
+--SKIPIF--
+<?php
+if (!extension_loaded('sqlite3')) die('skip');
+?>
+--FILE--
+<?php
+
+$db = new SQLite3(':memory:');
+
+$db->exec('CREATE TABLE foo (id INTEGER, bar STRING)');
+
+$stmt = $db->prepare('SELECT bar FROM foo WHERE id=:id');
+// Close the database connection and free the internal sqlite3_stmt object
+$db->close();
+// Access the sqlite3_stmt object via the php_sqlite3_stmt container
+$stmt->reset();
+?>
+==DONE==
+--EXPECTF--
+Warning: SQLite3Stmt::reset(): The SQLite3 object has not been correctly initialised in %s
+==DONE==
View Lorry Controller Status