The patch was already n 5.2, the issue is that the str (key) is not guaranteed to be NULL terminated (nor does it need to be), so when strlen() is attempted on top of it you could end up reading more data then necessary.


On 11-Dec-08, at 10:43 AM, Nuno Lopes wrote:

Modified files:              (Branch: PHP_5_3)
  /php-src/ext/pdo pdo_stmt.c
Log:
Fixed a possible corruption inside PDOStatement::debugDumpParams()


http://cvs.php.net/viewvc.cgi/php-src/ext/pdo/pdo_stmt.c?r1=1.118.2.38.2.24.2.39&r2=1.118.2.38.2.24.2.40&diff_format=u
Index: php-src/ext/pdo/pdo_stmt.c
diff -u php-src/ext/pdo/pdo_stmt.c:1.118.2.38.2.24.2.39 php-src/ext/ pdo/pdo_stmt.c:1.118.2.38.2.24.2.40
@@ -2209,7 +2209,9 @@
if (res == HASH_KEY_IS_LONG) {
php_stream_printf(out TSRMLS_CC, "Key: Position #%ld:\n", num);
} else if (res == HASH_KEY_IS_STRING) {
- php_stream_printf(out TSRMLS_CC, "Key: Name: [%d] %.*s\n", len, len, str);
+ char *s = estrndup(str, len);
+ php_stream_printf(out TSRMLS_CC, "Key: Name: [%d] %.*s\n", len, len, s);
+ efree(s);
}

Sorry for my ignorance, but isn't the new code exactly equivalent to the old one, albeit a bit slower? I can't really see how a strndup() can fix a corruption there.. If there's some problem, probably it's deeper than this..
Nuno

Ilia Alshanetsky





--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to