iliaa Wed, 28 Apr 2010 12:10:10 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=298697
Log: Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz Kocielski. Changed paths: U php/php-src/branches/PHP_5_2/NEWS U php/php-src/branches/PHP_5_2/ext/sqlite/sqlite.c U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/sqlite/sqlite.c U php/php-src/trunk/ext/sqlite/sqlite.c Modified: php/php-src/branches/PHP_5_2/NEWS =================================================================== --- php/php-src/branches/PHP_5_2/NEWS 2010-04-28 10:36:33 UTC (rev 298696) +++ php/php-src/branches/PHP_5_2/NEWS 2010-04-28 12:10:10 UTC (rev 298697) @@ -13,6 +13,8 @@ requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) - Fixed handling of session variable serialization on certain prefix characters. Reported by Stefan Esser (Ilia) +- Fixed a possible arbitrary memory access inside sqlite extension. Reported + by Mateusz Kocielski. (Ilia) - Fixed bug #51671 (imagefill does not work correctly for small images). (Pierre) Modified: php/php-src/branches/PHP_5_2/ext/sqlite/sqlite.c =================================================================== --- php/php-src/branches/PHP_5_2/ext/sqlite/sqlite.c 2010-04-28 10:36:33 UTC (rev 298696) +++ php/php-src/branches/PHP_5_2/ext/sqlite/sqlite.c 2010-04-28 12:10:10 UTC (rev 298697) @@ -2170,7 +2170,7 @@ return; } - rres = (struct php_sqlite_result *)emalloc(sizeof(*rres)); + rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres)); sqlite_query(NULL, db, sql, sql_len, (int)mode, 0, NULL, &rres, NULL TSRMLS_CC); if (db->last_err_code != SQLITE_OK) { if (rres) { @@ -2286,7 +2286,7 @@ return; } - rres = (struct php_sqlite_result *)emalloc(sizeof(*rres)); + rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres)); sqlite_query(NULL, db, sql, sql_len, PHPSQLITE_NUM, 0, NULL, &rres, NULL TSRMLS_CC); if (db->last_err_code != SQLITE_OK) { if (rres) { Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2010-04-28 10:36:33 UTC (rev 298696) +++ php/php-src/branches/PHP_5_3/NEWS 2010-04-28 12:10:10 UTC (rev 298697) @@ -21,6 +21,8 @@ - Fixed very rare memory leak in mysqlnd, when binding thousands of columns. (Andrey) +- Fixed a possible arbitrary memory access inside sqlite extension. Reported + by Mateusz Kocielski. (Ilia) - Fixed string format validation inside phar extension. Reported by Stefan Esser (Ilia) - Fixed handling of session variable serialization on certain prefix Modified: php/php-src/branches/PHP_5_3/ext/sqlite/sqlite.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/sqlite/sqlite.c 2010-04-28 10:36:33 UTC (rev 298696) +++ php/php-src/branches/PHP_5_3/ext/sqlite/sqlite.c 2010-04-28 12:10:10 UTC (rev 298697) @@ -2508,7 +2508,7 @@ return; } - rres = (struct php_sqlite_result *)emalloc(sizeof(*rres)); + rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres)); sqlite_query(NULL, db, sql, sql_len, (int)mode, 0, NULL, &rres, NULL TSRMLS_CC); if (db->last_err_code != SQLITE_OK) { if (rres) { @@ -2624,7 +2624,7 @@ return; } - rres = (struct php_sqlite_result *)emalloc(sizeof(*rres)); + rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres)); sqlite_query(NULL, db, sql, sql_len, PHPSQLITE_NUM, 0, NULL, &rres, NULL TSRMLS_CC); if (db->last_err_code != SQLITE_OK) { if (rres) { Modified: php/php-src/trunk/ext/sqlite/sqlite.c =================================================================== --- php/php-src/trunk/ext/sqlite/sqlite.c 2010-04-28 10:36:33 UTC (rev 298696) +++ php/php-src/trunk/ext/sqlite/sqlite.c 2010-04-28 12:10:10 UTC (rev 298697) @@ -2499,7 +2499,7 @@ return; } - rres = (struct php_sqlite_result *)emalloc(sizeof(*rres)); + rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres)); sqlite_query(NULL, db, sql, sql_len, (int)mode, 0, NULL, &rres, NULL TSRMLS_CC); if (db->last_err_code != SQLITE_OK) { if (rres) { @@ -2615,7 +2615,7 @@ return; } - rres = (struct php_sqlite_result *)emalloc(sizeof(*rres)); + rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres)); sqlite_query(NULL, db, sql, sql_len, PHPSQLITE_NUM, 0, NULL, &rres, NULL TSRMLS_CC); if (db->last_err_code != SQLITE_OK) { if (rres) {
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php