iliaa Thu Dec 23 14:29:12 2004 EDT
Modified files:
/php-src/ext/fbsql php_fbsql.c
Log:
Fixed several buffer overflows.
http://cvs.php.net/diff.php/php-src/ext/fbsql/php_fbsql.c?r1=1.107&r2=1.108&ty=u
Index: php-src/ext/fbsql/php_fbsql.c
diff -u php-src/ext/fbsql/php_fbsql.c:1.107 php-src/ext/fbsql/php_fbsql.c:1.108
--- php-src/ext/fbsql/php_fbsql.c:1.107 Mon Nov 22 17:40:20 2004
+++ php-src/ext/fbsql/php_fbsql.c Thu Dec 23 14:29:12 2004
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: php_fbsql.c,v 1.107 2004/11/22 22:40:20 fmk Exp $ */
+/* $Id: php_fbsql.c,v 1.108 2004/12/23 19:29:12 iliaa Exp $ */
/* TODO:
*
@@ -482,11 +482,11 @@
if (FB_SQL_G(allowPersistent))
{
- sprintf(buf, "%ld", FB_SQL_G(persistentCount));
+ snprintf(buf, sizeof(buf), "%ld", FB_SQL_G(persistentCount));
php_info_print_table_row(2, "Active Persistent Links", buf);
}
- sprintf(buf, "%ld", FB_SQL_G(linkCount));
+ snprintf(buf, sizeof(buf), "%ld", FB_SQL_G(linkCount));
php_info_print_table_row(2, "Active Links", buf);
/*
@@ -530,7 +530,9 @@
if (userName == NULL) userName = FB_SQL_G(userName);
if (userPassword == NULL) userPassword = FB_SQL_G(userPassword);
- sprintf(name, "fbsql_%s_%s_%s", hostName, userName, userPassword);
+ if (snprintf(name, sizeof(name), "fbsql_%s_%s_%s", hostName, userName,
userPassword) < 0) {
+ RETURN_FALSE;
+ }
if (!FB_SQL_G(allowPersistent)) {
persistent=0;
@@ -842,9 +844,21 @@
WRONG_PARAM_COUNT;
break;
}
+
+ if (Z_LVAL_PP(Locking) < 0 || Z_LVAL_PP(Locking) > 2) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid locking
type.");
+ RETURN_FALSE;
+ }
+ if (Z_LVAL_PP(strIsolation) < 0 || Z_LVAL_PP(Isolation) > 4) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid isolation
type.");
+ RETURN_FALSE;
+ }
+
ZEND_FETCH_RESOURCE2(phpLink, PHPFBLink *, fbsql_link_index, -1,
"FrontBase-Link", le_link, le_plink);
- sprintf(strSQL, "SET TRANSACTION LOCKING %s, ISOLATION %s;",
strLocking[Z_LVAL_PP(Locking)], strIsolation[Z_LVAL_PP(Isolation)]);
+ if (snprintf(strSQL, sizeof(strSQL) , "SET TRANSACTION LOCKING %s,
ISOLATION %s;", strLocking[Z_LVAL_PP(Locking)],
strIsolation[Z_LVAL_PP(Isolation)]) < 0) {
+ RETURN_FALSE;
+ }
md = fbcdcExecuteDirectSQL(phpLink->connection, strSQL);
fbcmdRelease(md);
@@ -1520,7 +1534,9 @@
convert_to_string_ex(password);
userPassword = Z_STRVAL_PP(password);
- sprintf(buffer, "SET AUTHORIZATION %s;", userName);
+ if (snprintf(buffer, sizeof(buffer), "SET AUTHORIZATION %s;", userName)
< 0) {
+ RETURN_FALSE;
+ }
phpfbQuery(INTERNAL_FUNCTION_PARAM_PASSTHRU, buffer, phpLink, 0);
if (Z_LVAL_P(return_value))
@@ -2210,7 +2226,9 @@
RETURN_FALSE;
}
- sprintf(sql, "SELECT * FROM %s WHERE 1=0;", tableName);
+ if (snprintf(sql, sizeof(sql), "SELECT * FROM %s WHERE 1=0;",
tableName) < 0) {
+ RETURN_FALSE;
+ }
phpfbQuery(INTERNAL_FUNCTION_PARAM_PASSTHRU, sql, phpLink, 0);
}
@@ -2424,7 +2442,7 @@
{
int v = *((int*)data);
char b[128];
- sprintf(b, "%d", v);
+ snprintf(b, sizeof(b), "%d", v);
phpfbestrdup(b, length, value);
}
break;
@@ -2433,7 +2451,7 @@
{
short int v = *((FBTinyInteger*)data);
char b[128];
- sprintf(b, "%d", v);
+ snprintf(b, sizeof(b), "%d", v);
phpfbestrdup(b, length, value);
}
break;
@@ -2444,9 +2462,9 @@
FBLongInteger v = *((FBLongInteger*)data);
char b[128];
#ifdef PHP_WIN32
- sprintf(b, "%I64i", v);
+ snprintf(b, sizeof(b), "%I64i", v);
#else
- sprintf(b, "%ll", v);
+ snprintf(b, sizeof(b), "%ll", v);
#endif
phpfbestrdup(b, length, value);
}
@@ -2456,7 +2474,7 @@
{
short v = *((short*)data);
char b[128];
- sprintf(b, "%d", v);
+ snprintf(b, sizeof(b), "%d", v);
phpfbestrdup(b, length, value);
}
break;
@@ -2469,7 +2487,7 @@
{
double v = *((double*)data);
char b[128];
- sprintf(b, "%f", v);
+ snprintf(b, sizeof(b), "%f", v);
phpfbestrdup(b, length, value);
}
break;
@@ -2524,7 +2542,7 @@
*length = l*2+3+1;
if (value)
{
- char* r = safe_emalloc(l, 2, 1);
+ char* r = safe_emalloc(l, 2, 4);
r[0] = 'B';
r[1] = '\'';
for (i = 0; i < nBits; i++)
@@ -2556,7 +2574,7 @@
{
char b[128];
int v = *((unsigned int*)data);
- sprintf(b, "%d", v);
+ snprintf(b, sizeof(b), "%d", v);
phpfbestrdup(b, length, value);
}
break;
@@ -2565,7 +2583,7 @@
{
char b[128];
double seconds = *((double*)data);
- sprintf(b, "%f", seconds);
+ snprintf(b, sizeof(b), "%f", seconds);
phpfbestrdup(b, length, value);
}
break;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
