kalle                                    Wed, 18 Aug 2010 20:16:05 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=302457

Log:
Fixed possible crash in php_mssql_get_column_content_without_type()

# Also fix NEWS entry in PHP_5_2 for previous commit

Changed paths:
    U   php/php-src/branches/PHP_5_2/NEWS
    U   php/php-src/branches/PHP_5_2/ext/mssql/php_mssql.c
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/mssql/php_mssql.c
    U   php/php-src/trunk/ext/mssql/php_mssql.c

Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS   2010-08-18 20:00:18 UTC (rev 302456)
+++ php/php-src/branches/PHP_5_2/NEWS   2010-08-18 20:16:05 UTC (rev 302457)
@@ -1,6 +1,10 @@
 ´╗┐PHP                                                                        
NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2010, PHP 5.2.15
+- Fixed possible crash in php_mssql_get_column_content_without_type(). (Kalle)
+
+- Fixed bug #52636 (php_mysql_fetch_hash writes long value into int).
+  (Kalle, rein at basefarm dot no)
 - Fixed bug #52436 (Compile error if systems do not have stdint.h)
   (Sriram Natarajan)
 - Fixed bug #52390 (mysqli_report() should be per-request setting). (Kalle)
@@ -33,8 +37,6 @@
   PDOStatement if instantiated directly instead of doing by the PDO methods.
   (Felipe)

-- Fixed bug #52636 (php_mysql_fetch_hash writes long value into int).
-  (Kalle, rein at basefarm dot no)
 - Fixed bug #52317 (Segmentation fault when using mail() on a rhel 4.x (only 64
   bit)). (Adam)
 - Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).

Modified: php/php-src/branches/PHP_5_2/ext/mssql/php_mssql.c
===================================================================
--- php/php-src/branches/PHP_5_2/ext/mssql/php_mssql.c  2010-08-18 20:00:18 UTC 
(rev 302456)
+++ php/php-src/branches/PHP_5_2/ext/mssql/php_mssql.c  2010-08-18 20:16:05 UTC 
(rev 302457)
@@ -979,6 +979,14 @@
                unsigned char *res_buf;
                int res_length = dbdatlen(mssql_ptr->link, offset);

+               if (res_length == 0) {
+                       ZVAL_NULL(result);
+                       return;
+               } else if (res_length < 0) {
+                       ZVAL_FALSE(result);
+                       return;
+               }
+
                res_buf = (unsigned char *) emalloc(res_length+1);
                bin = ((DBBINARY *)dbdata(mssql_ptr->link, offset));
                memcpy(res_buf, bin, res_length);

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2010-08-18 20:00:18 UTC (rev 302456)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-08-18 20:16:05 UTC (rev 302457)
@@ -11,6 +11,8 @@
   (Kalle)
 - Changed the $context parameter on copy() to actually have an effect. (Kalle)

+- Fixed possible crash in php_mssql_get_column_content_without_type(). (Kalle)
+
 - Fixed bug #52636 (php_mysql_fetch_hash writes long value into int).
   (Kalle, rein at basefarm dot no)
 - Fixed bug #52613 (crash in mysqlnd after hitting memory limit). (Andrey)

Modified: php/php-src/branches/PHP_5_3/ext/mssql/php_mssql.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/mssql/php_mssql.c  2010-08-18 20:00:18 UTC 
(rev 302456)
+++ php/php-src/branches/PHP_5_3/ext/mssql/php_mssql.c  2010-08-18 20:16:05 UTC 
(rev 302457)
@@ -1059,6 +1059,14 @@
                unsigned char *res_buf;
                int res_length = dbdatlen(mssql_ptr->link, offset);

+               if (res_length == 0) {
+                       ZVAL_NULL(result);
+                       return;
+               } else if (res_length < 0) {
+                       ZVAL_FALSE(result);
+                       return;
+               }
+
                res_buf = (unsigned char *) emalloc(res_length+1);
                bin = ((DBBINARY *)dbdata(mssql_ptr->link, offset));
                res_buf[res_length] = '\0';

Modified: php/php-src/trunk/ext/mssql/php_mssql.c
===================================================================
--- php/php-src/trunk/ext/mssql/php_mssql.c     2010-08-18 20:00:18 UTC (rev 
302456)
+++ php/php-src/trunk/ext/mssql/php_mssql.c     2010-08-18 20:16:05 UTC (rev 
302457)
@@ -1059,6 +1059,14 @@
                unsigned char *res_buf;
                int res_length = dbdatlen(mssql_ptr->link, offset);

+               if (res_length == 0) {
+                       ZVAL_NULL(result);
+                       return;
+               } else if (res_length < 0) {
+                       ZVAL_FALSE(result);
+                       return;
+               }
+
                res_buf = (unsigned char *) emalloc(res_length+1);
                bin = ((DBBINARY *)dbdata(mssql_ptr->link, offset));
                res_buf[res_length] = '\0';

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to