iliaa Thu Dec 23 14:29:36 2004 EDT
Modified files: (Branch: PHP_4_3)
/php-src/ext/fbsql php_fbsql.c
Log:
MFH: Fixed several buffer overflows.
http://cvs.php.net/diff.php/php-src/ext/fbsql/php_fbsql.c?r1=1.86.2.9&r2=1.86.2.10&ty=u
Index: php-src/ext/fbsql/php_fbsql.c
diff -u php-src/ext/fbsql/php_fbsql.c:1.86.2.9
php-src/ext/fbsql/php_fbsql.c:1.86.2.10
--- php-src/ext/fbsql/php_fbsql.c:1.86.2.9 Tue Aug 24 14:00:05 2004
+++ php-src/ext/fbsql/php_fbsql.c Thu Dec 23 14:29:36 2004
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: php_fbsql.c,v 1.86.2.9 2004/08/24 18:00:05 fmk Exp $ */
+/* $Id: php_fbsql.c,v 1.86.2.10 2004/12/23 19:29:36 iliaa Exp $ */
/* TODO:
*
@@ -459,11 +459,11 @@
if (FB_SQL_G(allowPersistent))
{
- sprintf(buf, "%ld", FB_SQL_G(persistentCount));
+ snprintf(buf, sizeof(buf), "%ld", FB_SQL_G(persistentCount));
php_info_print_table_row(2, "Active Persistent Links", buf);
}
- sprintf(buf, "%ld", FB_SQL_G(linkCount));
+ snprintf(buf, sizeof(buf), "%ld", FB_SQL_G(linkCount));
php_info_print_table_row(2, "Active Links", buf);
/*
@@ -507,7 +507,9 @@
if (userName == NULL) userName = FB_SQL_G(userName);
if (userPassword == NULL) userPassword = FB_SQL_G(userPassword);
- sprintf(name, "fbsql_%s_%s_%s", hostName, userName, userPassword);
+ if (snprintf(name, sizeof(name), "fbsql_%s_%s_%s", hostName, userName,
userPassword) < 0) {
+ RETURN_FALSE;
+ }
if (!FB_SQL_G(allowPersistent)) {
persistent=0;
@@ -818,9 +820,21 @@
WRONG_PARAM_COUNT;
break;
}
+
+ if (Z_LVAL_PP(Locking) < 0 || Z_LVAL_PP(Locking) > 2) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid locking
type.");
+ RETURN_FALSE;
+ }
+ if (Z_LVAL_PP(strIsolation) < 0 || Z_LVAL_PP(Isolation) > 4) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid isolation
type.");
+ RETURN_FALSE;
+ }
+
ZEND_FETCH_RESOURCE2(phpLink, PHPFBLink *, fbsql_link_index, -1,
"FrontBase-Link", le_link, le_plink);
- sprintf(strSQL, "SET TRANSACTION LOCKING %s, ISOLATION %s;",
strLocking[Z_LVAL_PP(Locking)], strIsolation[Z_LVAL_PP(Isolation)]);
+ if (snprintf(strSQL, sizeof(strSQL) , "SET TRANSACTION LOCKING %s,
ISOLATION %s;", strLocking[Z_LVAL_PP(Locking)],
strIsolation[Z_LVAL_PP(Isolation)]) < 0) {
+ RETURN_FALSE;
+ }
md = fbcdcExecuteDirectSQL(phpLink->connection, strSQL);
fbcmdRelease(md);
@@ -1417,7 +1431,9 @@
convert_to_string_ex(password);
userPassword = Z_STRVAL_PP(password);
- sprintf(buffer, "SET AUTHORIZATION %s;", userName);
+ if (snprintf(buffer, sizeof(buffer), "SET AUTHORIZATION %s;", userName)
< 0) {
+ RETURN_FALSE;
+ }
phpfbQuery(INTERNAL_FUNCTION_PARAM_PASSTHRU, buffer, phpLink);
if (Z_LVAL_P(return_value))
@@ -2084,7 +2100,9 @@
RETURN_FALSE;
}
- sprintf(sql, "SELECT * FROM %s WHERE 1=0;", tableName);
+ if (snprintf(sql, sizeof(sql), "SELECT * FROM %s WHERE 1=0;",
tableName) < 0) {
+ RETURN_FALSE;
+ }
phpfbQuery(INTERNAL_FUNCTION_PARAM_PASSTHRU, sql, phpLink);
}
@@ -2268,7 +2286,7 @@
{
int v = *((int*)data);
char b[128];
- sprintf(b, "%d", v);
+ snprintf(b, sizeof(b), "%d", v);
phpfbestrdup(b, length, value);
}
break;
@@ -2277,7 +2295,7 @@
{
short int v = *((FBTinyInteger*)data);
char b[128];
- sprintf(b, "%d", v);
+ snprintf(b, sizeof(b), "%d", v);
phpfbestrdup(b, length, value);
}
break;
@@ -2288,9 +2306,9 @@
FBLongInteger v = *((FBLongInteger*)data);
char b[128];
#ifdef PHP_WIN32
- sprintf(b, "%I64i", v);
+ snprintf(b, sizeof(b), "%I64i", v);
#else
- sprintf(b, "%ll", v);
+ snprintf(b, sizeof(b), "%ll", v);
#endif
phpfbestrdup(b, length, value);
}
@@ -2300,7 +2318,7 @@
{
short v = *((short*)data);
char b[128];
- sprintf(b, "%d", v);
+ snprintf(b, sizeof(b), "%d", v);
phpfbestrdup(b, length, value);
}
break;
@@ -2313,7 +2331,7 @@
{
double v = *((double*)data);
char b[128];
- sprintf(b, "%f", v);
+ snprintf(b, sizeof(b), "%f", v);
phpfbestrdup(b, length, value);
}
break;
@@ -2346,7 +2364,7 @@
*length = l*2+3+1;
if (value)
{
- char* r = emalloc(l*2+3+1);
+ char* r = safe_emalloc(l, 2, 4);
r[0] = 'X';
r[1] = '\'';
for (i = 0; i < nBits / 8; i++)
@@ -2368,7 +2386,7 @@
*length = l*2+3+1;
if (value)
{
- char* r = emalloc(l*2+3+1);
+ char* r = safe_emalloc(l, 2, 4);
r[0] = 'B';
r[1] = '\'';
for (i = 0; i < nBits; i++)
@@ -2400,7 +2418,7 @@
{
char b[128];
int v = *((unsigned int*)data);
- sprintf(b, "%d", v);
+ snprintf(b, sizeof(b), "%d", v);
phpfbestrdup(b, length, value);
}
break;
@@ -2409,7 +2427,7 @@
{
char b[128];
double seconds = *((double*)data);
- sprintf(b, "%f", seconds);
+ snprintf(b, sizeof(b), "%f", seconds);
phpfbestrdup(b, length, value);
}
break;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
