iliaa Tue, 15 Nov 2011 18:02:58 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=319259
Log: Fixed bug #60244 (pg_fetch_* functions do not validate that row param is >0). Bug: https://bugs.php.net/60244 (Open) pg_fetch_* functions behave strangely with row = -1 Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/pgsql/pgsql.c A php/php-src/branches/PHP_5_3/ext/pgsql/tests/bug60244.phpt U php/php-src/branches/PHP_5_4/ext/pgsql/pgsql.c A php/php-src/branches/PHP_5_4/ext/pgsql/tests/bug60244.phpt U php/php-src/trunk/ext/pgsql/pgsql.c A php/php-src/trunk/ext/pgsql/tests/bug60244.phpt
Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2011-11-15 17:55:33 UTC (rev 319258) +++ php/php-src/branches/PHP_5_3/NEWS 2011-11-15 18:02:58 UTC (rev 319259) @@ -29,6 +29,10 @@ - Phar: . Fixed bug #60261 (NULL pointer dereference in phar). (Felipe) +- Postgres: + . Fixed bug #60244 (pg_fetch_* functions do not validate that row param + is >0). (Ilia) + - SOAP . Fixed bug #44686 (SOAP-ERROR: Parsing WSDL with references). (Dmitry) @@ -83,6 +87,10 @@ . Fixed bug #48476 (cloning extended DateTime class without calling parent::__constr crashed PHP). (Hannes) +- Json: + . Fixed bug #55543 (json_encode() with JSON_NUMERIC_CHECK fails on objects + with numeric string properties). (Ilia, dchurch at sciencelogic dot com) + - MySQL: . Fixed bug #55550 (mysql.trace_mode miscounts result sets). (Johannes) Modified: php/php-src/branches/PHP_5_3/ext/pgsql/pgsql.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/pgsql/pgsql.c 2011-11-15 17:55:33 UTC (rev 319258) +++ php/php-src/branches/PHP_5_3/ext/pgsql/pgsql.c 2011-11-15 18:02:58 UTC (rev 319259) @@ -2452,6 +2452,10 @@ } else { convert_to_long(zrow); row = Z_LVAL_P(zrow); + if (row < 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The row parameter must be greater or equal to zero"); + RETURN_FALSE; + } } use_row = ZEND_NUM_ARGS() > 1 && row != -1; @@ -4798,10 +4802,24 @@ if (result_type & PGSQL_NUM) { add_index_string(return_value, 0, pgsql_notify->relname, 1); add_index_long(return_value, 1, pgsql_notify->be_pid); +#if HAVE_PQPROTOCOLVERSION && HAVE_PQPARAMETERSTATUS + if (PQprotocolVersion(pgsql) >= 3 && atof(PQparameterStatus(pgsql, "server_version")) >= 9.0) { +#else + if (atof(PG_VERSION) >= 9.0) { +#endif + add_index_string(return_value, 2, pgsql_notify->extra, 1); + } } if (result_type & PGSQL_ASSOC) { add_assoc_string(return_value, "message", pgsql_notify->relname, 1); add_assoc_long(return_value, "pid", pgsql_notify->be_pid); +#if HAVE_PQPROTOCOLVERSION && HAVE_PQPARAMETERSTATUS + if (PQprotocolVersion(pgsql) >= 3 && atof(PQparameterStatus(pgsql, "server_version")) >= 9.0) { +#else + if (atof(PG_VERSION) >= 9.0) { +#endif + add_assoc_string(return_value, "payload", pgsql_notify->extra, 1); + } } PQfreemem(pgsql_notify); } Added: php/php-src/branches/PHP_5_3/ext/pgsql/tests/bug60244.phpt =================================================================== --- php/php-src/branches/PHP_5_3/ext/pgsql/tests/bug60244.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/ext/pgsql/tests/bug60244.phpt 2011-11-15 18:02:58 UTC (rev 319259) @@ -0,0 +1,57 @@ +--TEST-- +Bug #60244 (pg_fetch_* functions do not validate that row param is >0) +--SKIPIF-- +<?php +include("skipif.inc"); +?> +--FILE-- +<?php + +include 'config.inc'; + +$db = pg_connect($conn_str); +$result = pg_query("select 'a' union select 'b'"); + +var_dump(pg_fetch_array($result, -1)); +var_dump(pg_fetch_assoc($result, -1)); +var_dump(pg_fetch_object($result, -1)); +var_dump(pg_fetch_row($result, -1)); + +var_dump(pg_fetch_array($result, 0)); +var_dump(pg_fetch_assoc($result, 0)); +var_dump(pg_fetch_object($result, 0)); +var_dump(pg_fetch_row($result, 0)); + +pg_close($db); + +?> +--EXPECTF-- +Warning: pg_fetch_array(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) + +Warning: pg_fetch_assoc(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) + +Warning: pg_fetch_object(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) + +Warning: pg_fetch_row(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) +array(2) { + [0]=> + string(1) "a" + ["?column?"]=> + string(1) "a" +} +array(1) { + ["?column?"]=> + string(1) "a" +} +object(stdClass)#1 (1) { + ["?column?"]=> + string(1) "a" +} +array(1) { + [0]=> + string(1) "a" +} Modified: php/php-src/branches/PHP_5_4/ext/pgsql/pgsql.c =================================================================== --- php/php-src/branches/PHP_5_4/ext/pgsql/pgsql.c 2011-11-15 17:55:33 UTC (rev 319258) +++ php/php-src/branches/PHP_5_4/ext/pgsql/pgsql.c 2011-11-15 18:02:58 UTC (rev 319259) @@ -2452,6 +2452,10 @@ } else { convert_to_long(zrow); row = Z_LVAL_P(zrow); + if (row < 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The row parameter must be greater or equal to zero"); + RETURN_FALSE; + } } use_row = ZEND_NUM_ARGS() > 1 && row != -1; Added: php/php-src/branches/PHP_5_4/ext/pgsql/tests/bug60244.phpt =================================================================== --- php/php-src/branches/PHP_5_4/ext/pgsql/tests/bug60244.phpt (rev 0) +++ php/php-src/branches/PHP_5_4/ext/pgsql/tests/bug60244.phpt 2011-11-15 18:02:58 UTC (rev 319259) @@ -0,0 +1,57 @@ +--TEST-- +Bug #60244 (pg_fetch_* functions do not validate that row param is >0) +--SKIPIF-- +<?php +include("skipif.inc"); +?> +--FILE-- +<?php + +include 'config.inc'; + +$db = pg_connect($conn_str); +$result = pg_query("select 'a' union select 'b'"); + +var_dump(pg_fetch_array($result, -1)); +var_dump(pg_fetch_assoc($result, -1)); +var_dump(pg_fetch_object($result, -1)); +var_dump(pg_fetch_row($result, -1)); + +var_dump(pg_fetch_array($result, 0)); +var_dump(pg_fetch_assoc($result, 0)); +var_dump(pg_fetch_object($result, 0)); +var_dump(pg_fetch_row($result, 0)); + +pg_close($db); + +?> +--EXPECTF-- +Warning: pg_fetch_array(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) + +Warning: pg_fetch_assoc(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) + +Warning: pg_fetch_object(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) + +Warning: pg_fetch_row(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) +array(2) { + [0]=> + string(1) "a" + ["?column?"]=> + string(1) "a" +} +array(1) { + ["?column?"]=> + string(1) "a" +} +object(stdClass)#1 (1) { + ["?column?"]=> + string(1) "a" +} +array(1) { + [0]=> + string(1) "a" +} Modified: php/php-src/trunk/ext/pgsql/pgsql.c =================================================================== --- php/php-src/trunk/ext/pgsql/pgsql.c 2011-11-15 17:55:33 UTC (rev 319258) +++ php/php-src/trunk/ext/pgsql/pgsql.c 2011-11-15 18:02:58 UTC (rev 319259) @@ -2452,6 +2452,10 @@ } else { convert_to_long(zrow); row = Z_LVAL_P(zrow); + if (row < 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The row parameter must be greater or equal to zero"); + RETURN_FALSE; + } } use_row = ZEND_NUM_ARGS() > 1 && row != -1; Added: php/php-src/trunk/ext/pgsql/tests/bug60244.phpt =================================================================== --- php/php-src/trunk/ext/pgsql/tests/bug60244.phpt (rev 0) +++ php/php-src/trunk/ext/pgsql/tests/bug60244.phpt 2011-11-15 18:02:58 UTC (rev 319259) @@ -0,0 +1,57 @@ +--TEST-- +Bug #60244 (pg_fetch_* functions do not validate that row param is >0) +--SKIPIF-- +<?php +include("skipif.inc"); +?> +--FILE-- +<?php + +include 'config.inc'; + +$db = pg_connect($conn_str); +$result = pg_query("select 'a' union select 'b'"); + +var_dump(pg_fetch_array($result, -1)); +var_dump(pg_fetch_assoc($result, -1)); +var_dump(pg_fetch_object($result, -1)); +var_dump(pg_fetch_row($result, -1)); + +var_dump(pg_fetch_array($result, 0)); +var_dump(pg_fetch_assoc($result, 0)); +var_dump(pg_fetch_object($result, 0)); +var_dump(pg_fetch_row($result, 0)); + +pg_close($db); + +?> +--EXPECTF-- +Warning: pg_fetch_array(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) + +Warning: pg_fetch_assoc(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) + +Warning: pg_fetch_object(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) + +Warning: pg_fetch_row(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) +array(2) { + [0]=> + string(1) "a" + ["?column?"]=> + string(1) "a" +} +array(1) { + ["?column?"]=> + string(1) "a" +} +object(stdClass)#1 (1) { + ["?column?"]=> + string(1) "a" +} +array(1) { + [0]=> + string(1) "a" +}
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php