Commit: 34e5236836e9da4a5f0a384c73d482eb27793286 Author: Anatol Belski <a...@php.net> Tue, 10 Dec 2013 15:40:19 +0100 Parents: 77d4db39571c092fff6883d92f38110c58d7f343 Branches: str_size_and_int64
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=34e5236836e9da4a5f0a384c73d482eb27793286 Log: more range checks for ext/sqlite3 Changed paths: M ext/sqlite3/sqlite3.c Diff: diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c index 6f5d5e4..c43ef97 100644 --- a/ext/sqlite3/sqlite3.c +++ b/ext/sqlite3/sqlite3.c @@ -472,6 +472,11 @@ PHP_METHOD(sqlite3, prepare) stmt_obj->db_obj = db_obj; stmt_obj->db_obj_zval = getThis(); + if (sql_len > INT_MAX) { + php_sqlite3_error(stmt_obj->db_obj, "SQL statement is too long."); + RETURN_FALSE; + } + Z_ADDREF_P(object); errcode = sqlite3_prepare_v2(db_obj->db, sql, sql_len, &(stmt_obj->stmt), NULL); @@ -531,6 +536,11 @@ PHP_METHOD(sqlite3, query) stmt_obj->db_obj = db_obj; stmt_obj->db_obj_zval = getThis(); + if (sql_len > INT_MAX) { + php_sqlite3_error(stmt_obj->db_obj, "SQL statement is too long."); + RETURN_FALSE; + } + Z_ADDREF_P(object); return_code = sqlite3_prepare_v2(db_obj->db, sql, sql_len, &(stmt_obj->stmt), NULL); @@ -628,6 +638,11 @@ PHP_METHOD(sqlite3, querySingle) RETURN_FALSE; } + if (sql_len > INT_MAX) { + php_sqlite3_error(db_obj, "SQL statement is too long."); + RETURN_FALSE; + } + /* If there was no return value then just execute the query */ if (!return_value_used) { if (sqlite3_exec(db_obj->db, sql, NULL, NULL, &errtext) != SQLITE_OK) { @@ -1519,12 +1534,12 @@ PHP_METHOD(sqlite3stmt, execute) case SQLITE_BLOB: { php_stream *stream = NULL; - int blength; + zend_str_size_int blength; char *buffer = NULL; if (Z_TYPE_P(param->parameter) == IS_RESOURCE) { php_stream_from_zval_no_verify(stream, ¶m->parameter); if (stream == NULL) { - php_sqlite3_error(stmt_obj->db_obj, "Unable to read stream for parameter %ld", param->param_number); + php_sqlite3_error(stmt_obj->db_obj, "Unable to read stream for parameter %pd", param->param_number); RETURN_FALSE; } blength = php_stream_copy_to_mem(stream, (void *)&buffer, PHP_STREAM_COPY_ALL, 0); @@ -1534,6 +1549,11 @@ PHP_METHOD(sqlite3stmt, execute) buffer = Z_STRVAL_P(param->parameter); } + if (blength > INT_MAX) { + php_sqlite3_error(stmt_obj->db_obj, "Input is too long for parameter %pd", param->param_number); + RETURN_FALSE; + } + sqlite3_bind_blob(stmt_obj->stmt, param->param_number, buffer, blength, SQLITE_TRANSIENT); if (stream) { @@ -1552,7 +1572,7 @@ PHP_METHOD(sqlite3stmt, execute) break; default: - php_sqlite3_error(stmt_obj->db_obj, "Unknown parameter type: %ld for parameter %ld", param->type, param->param_number); + php_sqlite3_error(stmt_obj->db_obj, "Unknown parameter type: %pd for parameter %pd", param->type, param->param_number); RETURN_FALSE; } zend_hash_move_forward(stmt_obj->bound_params); @@ -1613,6 +1633,11 @@ PHP_METHOD(sqlite3stmt, __construct) return; } + if (sql_len > INT_MAX) { + php_sqlite3_error(stmt_obj->db_obj, "SQL string is too long"); + RETURN_FALSE; + } + db_obj = (php_sqlite3_db_object *)zend_object_store_get_object(db_zval TSRMLS_CC); SQLITE3_CHECK_INITIALIZED(db_obj, db_obj->initialised, SQLite3) -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php