Browsing through the code of DBD, I noticed that SQLite2/3 don't quite
do the advertised bounds checking for get_entry functions. The
following patch should be good for both 1.2.2 and the trunk.
--
Bojan
diff -rauN apr-util-1.2.2-vanilla/dbd/apr_dbd_sqlite2.c apr-util-1.2.2/dbd/apr_dbd_sqlite2.c
--- apr-util-1.2.2-vanilla/dbd/apr_dbd_sqlite2.c 2005-08-11 18:51:16.0 +1000
+++ apr-util-1.2.2/dbd/apr_dbd_sqlite2.c 2006-02-24 08:59:30.0 +1100
@@ -168,6 +168,10 @@
static const char *dbd_sqlite_get_entry(const apr_dbd_row_t * row, int n)
{
+if ((n 0) || (n = row-res-sz)) {
+ return NULL;
+}
+
return row-data[n];
}
diff -rauN apr-util-1.2.2-vanilla/dbd/apr_dbd_sqlite3.c apr-util-1.2.2/dbd/apr_dbd_sqlite3.c
--- apr-util-1.2.2-vanilla/dbd/apr_dbd_sqlite3.c 2005-08-11 18:51:16.0 +1000
+++ apr-util-1.2.2/dbd/apr_dbd_sqlite3.c 2006-02-24 08:59:18.0 +1100
@@ -209,7 +209,7 @@
{
apr_dbd_column_t *column;
const char *value;
-if ((n + 1) row-columnCount) {
+if ((n 0) || (n = row-columnCount)) {
return NULL;
}
column = row-columns[n];