Weird.. Isn't that a bug in php_stream_printf() then? I would say it
shouldn't read past the specified length.. otherwise the same bug may appear
in other places.
What do you think?
Nuno
----- Original Message -----
The patch was already n 5.2, the issue is that the str (key) is not
guaranteed to be NULL terminated (nor does it need to be), so when
strlen() is attempted on top of it you could end up reading more data
then necessary.
On 11-Dec-08, at 10:43 AM, Nuno Lopes wrote:
Modified files: (Branch: PHP_5_3)
/php-src/ext/pdo pdo_stmt.c
Log:
Fixed a possible corruption inside PDOStatement::debugDumpParams()
http://cvs.php.net/viewvc.cgi/php-src/ext/pdo/pdo_stmt.c?r1=1.118.2.38.2.24.2.39&r2=1.118.2.38.2.24.2.40&diff_format=u
Index: php-src/ext/pdo/pdo_stmt.c
diff -u php-src/ext/pdo/pdo_stmt.c:1.118.2.38.2.24.2.39 php-src/ext/
pdo/pdo_stmt.c:1.118.2.38.2.24.2.40
@@ -2209,7 +2209,9 @@
if (res == HASH_KEY_IS_LONG) {
php_stream_printf(out TSRMLS_CC, "Key: Position #%ld:\n", num);
} else if (res == HASH_KEY_IS_STRING) {
- php_stream_printf(out TSRMLS_CC, "Key: Name: [%d] %.*s\n", len, len,
str);
+ char *s = estrndup(str, len);
+ php_stream_printf(out TSRMLS_CC, "Key: Name: [%d] %.*s\n", len, len,
s);
+ efree(s);
}
Sorry for my ignorance, but isn't the new code exactly equivalent to the
old one, albeit a bit slower? I can't really see how a strndup() can
fix a corruption there.. If there's some problem, probably it's deeper
than this..
Nuno
Ilia Alshanetsky
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php