kalle Wed, 18 Aug 2010 20:16:05 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=302457
Log: Fixed possible crash in php_mssql_get_column_content_without_type() # Also fix NEWS entry in PHP_5_2 for previous commit Changed paths: U php/php-src/branches/PHP_5_2/NEWS U php/php-src/branches/PHP_5_2/ext/mssql/php_mssql.c U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/mssql/php_mssql.c U php/php-src/trunk/ext/mssql/php_mssql.c Modified: php/php-src/branches/PHP_5_2/NEWS =================================================================== --- php/php-src/branches/PHP_5_2/NEWS 2010-08-18 20:00:18 UTC (rev 302456) +++ php/php-src/branches/PHP_5_2/NEWS 2010-08-18 20:16:05 UTC (rev 302457) @@ -1,6 +1,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2010, PHP 5.2.15 +- Fixed possible crash in php_mssql_get_column_content_without_type(). (Kalle) + +- Fixed bug #52636 (php_mysql_fetch_hash writes long value into int). + (Kalle, rein at basefarm dot no) - Fixed bug #52436 (Compile error if systems do not have stdint.h) (Sriram Natarajan) - Fixed bug #52390 (mysqli_report() should be per-request setting). (Kalle) @@ -33,8 +37,6 @@ PDOStatement if instantiated directly instead of doing by the PDO methods. (Felipe) -- Fixed bug #52636 (php_mysql_fetch_hash writes long value into int). - (Kalle, rein at basefarm dot no) - Fixed bug #52317 (Segmentation fault when using mail() on a rhel 4.x (only 64 bit)). (Adam) - Fixed bug #52238 (Crash when an Exception occured in iterator_to_array). Modified: php/php-src/branches/PHP_5_2/ext/mssql/php_mssql.c =================================================================== --- php/php-src/branches/PHP_5_2/ext/mssql/php_mssql.c 2010-08-18 20:00:18 UTC (rev 302456) +++ php/php-src/branches/PHP_5_2/ext/mssql/php_mssql.c 2010-08-18 20:16:05 UTC (rev 302457) @@ -979,6 +979,14 @@ unsigned char *res_buf; int res_length = dbdatlen(mssql_ptr->link, offset); + if (res_length == 0) { + ZVAL_NULL(result); + return; + } else if (res_length < 0) { + ZVAL_FALSE(result); + return; + } + res_buf = (unsigned char *) emalloc(res_length+1); bin = ((DBBINARY *)dbdata(mssql_ptr->link, offset)); memcpy(res_buf, bin, res_length); Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2010-08-18 20:00:18 UTC (rev 302456) +++ php/php-src/branches/PHP_5_3/NEWS 2010-08-18 20:16:05 UTC (rev 302457) @@ -11,6 +11,8 @@ (Kalle) - Changed the $context parameter on copy() to actually have an effect. (Kalle) +- Fixed possible crash in php_mssql_get_column_content_without_type(). (Kalle) + - Fixed bug #52636 (php_mysql_fetch_hash writes long value into int). (Kalle, rein at basefarm dot no) - Fixed bug #52613 (crash in mysqlnd after hitting memory limit). (Andrey) Modified: php/php-src/branches/PHP_5_3/ext/mssql/php_mssql.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/mssql/php_mssql.c 2010-08-18 20:00:18 UTC (rev 302456) +++ php/php-src/branches/PHP_5_3/ext/mssql/php_mssql.c 2010-08-18 20:16:05 UTC (rev 302457) @@ -1059,6 +1059,14 @@ unsigned char *res_buf; int res_length = dbdatlen(mssql_ptr->link, offset); + if (res_length == 0) { + ZVAL_NULL(result); + return; + } else if (res_length < 0) { + ZVAL_FALSE(result); + return; + } + res_buf = (unsigned char *) emalloc(res_length+1); bin = ((DBBINARY *)dbdata(mssql_ptr->link, offset)); res_buf[res_length] = '\0'; Modified: php/php-src/trunk/ext/mssql/php_mssql.c =================================================================== --- php/php-src/trunk/ext/mssql/php_mssql.c 2010-08-18 20:00:18 UTC (rev 302456) +++ php/php-src/trunk/ext/mssql/php_mssql.c 2010-08-18 20:16:05 UTC (rev 302457) @@ -1059,6 +1059,14 @@ unsigned char *res_buf; int res_length = dbdatlen(mssql_ptr->link, offset); + if (res_length == 0) { + ZVAL_NULL(result); + return; + } else if (res_length < 0) { + ZVAL_FALSE(result); + return; + } + res_buf = (unsigned char *) emalloc(res_length+1); bin = ((DBBINARY *)dbdata(mssql_ptr->link, offset)); res_buf[res_length] = '\0';
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php