[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/NEWS branches/PHP_5_2/ext/sqlite/sqlite.c branches/PHP_5_3/NEWS branches/PHP_5_3/ext/sqlite/sqlite.c trunk/ext/sqlite/sqlite.c

Wed, 28 Apr 2010 05:10:28 -0700 

iliaa                                    Wed, 28 Apr 2010 12:10:10 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=298697

Log:
Fixed a possible arbitrary memory access inside sqlite extension. Reported by 
Mateusz Kocielski.

Changed paths:
    U   php/php-src/branches/PHP_5_2/NEWS
    U   php/php-src/branches/PHP_5_2/ext/sqlite/sqlite.c
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/sqlite/sqlite.c
    U   php/php-src/trunk/ext/sqlite/sqlite.c

Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS   2010-04-28 10:36:33 UTC (rev 298696)
+++ php/php-src/branches/PHP_5_2/NEWS   2010-04-28 12:10:10 UTC (rev 298697)
@@ -13,6 +13,8 @@
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
 - Fixed handling of session variable serialization on certain prefix
   characters. Reported by Stefan Esser (Ilia)
+- Fixed a possible arbitrary memory access inside sqlite extension. Reported
+  by Mateusz Kocielski. (Ilia)

 - Fixed bug #51671 (imagefill does not work correctly for small images).
   (Pierre)

Modified: php/php-src/branches/PHP_5_2/ext/sqlite/sqlite.c
===================================================================
--- php/php-src/branches/PHP_5_2/ext/sqlite/sqlite.c    2010-04-28 10:36:33 UTC 
(rev 298696)
+++ php/php-src/branches/PHP_5_2/ext/sqlite/sqlite.c    2010-04-28 12:10:10 UTC 
(rev 298697)
@@ -2170,7 +2170,7 @@
                return;
        }

-       rres = (struct php_sqlite_result *)emalloc(sizeof(*rres));
+       rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres));
        sqlite_query(NULL, db, sql, sql_len, (int)mode, 0, NULL, &rres, NULL 
TSRMLS_CC);
        if (db->last_err_code != SQLITE_OK) {
                if (rres) {
@@ -2286,7 +2286,7 @@
                return;
        }

-       rres = (struct php_sqlite_result *)emalloc(sizeof(*rres));
+       rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres));
        sqlite_query(NULL, db, sql, sql_len, PHPSQLITE_NUM, 0, NULL, &rres, 
NULL TSRMLS_CC);
        if (db->last_err_code != SQLITE_OK) {
                if (rres) {

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2010-04-28 10:36:33 UTC (rev 298696)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-04-28 12:10:10 UTC (rev 298697)
@@ -21,6 +21,8 @@
 - Fixed very rare memory leak in mysqlnd, when binding thousands of columns.
   (Andrey)

+- Fixed a possible arbitrary memory access inside sqlite extension. Reported
+  by Mateusz Kocielski. (Ilia)
 - Fixed string format validation inside phar extension. Reported by Stefan
   Esser (Ilia)
 - Fixed handling of session variable serialization on certain prefix

Modified: php/php-src/branches/PHP_5_3/ext/sqlite/sqlite.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/sqlite/sqlite.c    2010-04-28 10:36:33 UTC 
(rev 298696)
+++ php/php-src/branches/PHP_5_3/ext/sqlite/sqlite.c    2010-04-28 12:10:10 UTC 
(rev 298697)
@@ -2508,7 +2508,7 @@
                return;
        }

-       rres = (struct php_sqlite_result *)emalloc(sizeof(*rres));
+       rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres));
        sqlite_query(NULL, db, sql, sql_len, (int)mode, 0, NULL, &rres, NULL 
TSRMLS_CC);
        if (db->last_err_code != SQLITE_OK) {
                if (rres) {
@@ -2624,7 +2624,7 @@
                return;
        }

-       rres = (struct php_sqlite_result *)emalloc(sizeof(*rres));
+       rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres));
        sqlite_query(NULL, db, sql, sql_len, PHPSQLITE_NUM, 0, NULL, &rres, 
NULL TSRMLS_CC);
        if (db->last_err_code != SQLITE_OK) {
                if (rres) {

Modified: php/php-src/trunk/ext/sqlite/sqlite.c
===================================================================
--- php/php-src/trunk/ext/sqlite/sqlite.c       2010-04-28 10:36:33 UTC (rev 
298696)
+++ php/php-src/trunk/ext/sqlite/sqlite.c       2010-04-28 12:10:10 UTC (rev 
298697)
@@ -2499,7 +2499,7 @@
                return;
        }

-       rres = (struct php_sqlite_result *)emalloc(sizeof(*rres));
+       rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres));
        sqlite_query(NULL, db, sql, sql_len, (int)mode, 0, NULL, &rres, NULL 
TSRMLS_CC);
        if (db->last_err_code != SQLITE_OK) {
                if (rres) {
@@ -2615,7 +2615,7 @@
                return;
        }

-       rres = (struct php_sqlite_result *)emalloc(sizeof(*rres));
+       rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres));
        sqlite_query(NULL, db, sql, sql_len, PHPSQLITE_NUM, 0, NULL, &rres, 
NULL TSRMLS_CC);
        if (db->last_err_code != SQLITE_OK) {
                if (rres) {


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to