Browsing through the code of DBD, I noticed that SQLite2/3 don't quite
do the advertised bounds checking for get_entry functions. The
following patch should be good for both 1.2.2 and the trunk.
--
Bojan
diff -rauN apr-util-1.2.2-vanilla/dbd/apr_dbd_sqlite2.c apr-util-1.2.2/dbd/apr_dbd_sqlite2.c
--- apr-util-1.2.2-vanilla/dbd/apr_dbd_sqlite2.c 2005-08-11 18:51:16.000000000 +1000
+++ apr-util-1.2.2/dbd/apr_dbd_sqlite2.c 2006-02-24 08:59:30.000000000 +1100
@@ -168,6 +168,10 @@
static const char *dbd_sqlite_get_entry(const apr_dbd_row_t * row, int n)
{
+ if ((n < 0) || (n >= row->res->sz)) {
+ return NULL;
+ }
+
return row->data[n];
}
diff -rauN apr-util-1.2.2-vanilla/dbd/apr_dbd_sqlite3.c apr-util-1.2.2/dbd/apr_dbd_sqlite3.c
--- apr-util-1.2.2-vanilla/dbd/apr_dbd_sqlite3.c 2005-08-11 18:51:16.000000000 +1000
+++ apr-util-1.2.2/dbd/apr_dbd_sqlite3.c 2006-02-24 08:59:18.000000000 +1100
@@ -209,7 +209,7 @@
{
apr_dbd_column_t *column;
const char *value;
- if ((n + 1) > row->columnCount) {
+ if ((n < 0) || (n >= row->columnCount)) {
return NULL;
}
column = row->columns[n];
