Commit: 1b78aef426a8f413ddd70854eb3fd5fbc95ef675 Author: Johannes Schlüter <johan...@php.net> Thu, 19 Apr 2012 12:46:02 +0200 Parents: adfb4c62b76ef241978814e10cae70498f52ea29 Branches: PHP-5.3 PHP-5.4 master
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=1b78aef426a8f413ddd70854eb3fd5fbc95ef675 Log: Fix bug #61755 parsing bug can lead to access violations Bugs: https://bugs.php.net/61755 Changed paths: M NEWS M ext/pdo/pdo_sql_parser.re A ext/pdo_mysql/tests/bug_61755.phpt Diff: diff --git a/NEWS b/NEWS index 0cabd97..5fe7245 100644 --- a/NEWS +++ b/NEWS @@ -6,7 +6,10 @@ PHP NEWS . Fixed bug #61537 (json_encode() incorrectly truncates/discards information). (Adam) -?? ??? 2012, PHP 5.3.11 +- PDO: + . Fixed bug #61755 (A parsing bug in the prepared statements can lead to + access violations). (Johannes) + - Iconv extension: . Fixed a bug that iconv extension fails to link to the correct library when another extension makes use of a library that links to the iconv diff --git a/ext/pdo/pdo_sql_parser.re b/ext/pdo/pdo_sql_parser.re index 8becef9..88f9400 100644 --- a/ext/pdo/pdo_sql_parser.re +++ b/ext/pdo/pdo_sql_parser.re @@ -32,12 +32,12 @@ #define YYCTYPE unsigned char #define YYCURSOR cursor -#define YYLIMIT cursor +#define YYLIMIT s->end #define YYMARKER s->ptr -#define YYFILL(n) +#define YYFILL(n) { RET(PDO_PARSER_EOI); } typedef struct Scanner { - char *ptr, *cur, *tok; + char *ptr, *cur, *tok, *end; } Scanner; static int scan(Scanner *s) @@ -51,7 +51,6 @@ static int scan(Scanner *s) COMMENTS = ("/*"([^*]+|[*]+[^/*])*[*]*"*/"|"--"[^\r\n]*); SPECIALS = [:?"']; MULTICHAR = [:?]; - EOF = [\000]; ANYNOEOF = [\001-\377]; */ @@ -64,7 +63,6 @@ static int scan(Scanner *s) SPECIALS { SKIP_ONE(PDO_PARSER_TEXT); } COMMENTS { RET(PDO_PARSER_TEXT); } (ANYNOEOF\SPECIALS)+ { RET(PDO_PARSER_TEXT); } - EOF { RET(PDO_PARSER_EOI); } */ } @@ -94,6 +92,7 @@ PDO_API int pdo_parse_params(pdo_stmt_t *stmt, char *inquery, int inquery_len, ptr = *outquery; s.cur = inquery; + s.end = inquery + inquery_len + 1; /* phase 1: look for args */ while((t = scan(&s)) != PDO_PARSER_EOI) { diff --git a/ext/pdo_mysql/tests/bug_61755.phpt b/ext/pdo_mysql/tests/bug_61755.phpt new file mode 100644 index 0000000..1d2b968 --- /dev/null +++ b/ext/pdo_mysql/tests/bug_61755.phpt @@ -0,0 +1,41 @@ +--TEST-- +Bug #61755 (A parsing bug in the prepared statements can lead to access violations) +--SKIPIF-- +<?php +if (!extension_loaded('pdo') || !extension_loaded('pdo_mysql')) die('skip not loaded'); +require dirname(__FILE__) . '/config.inc'; +require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc'; +PDOTest::skip(); +?> +--FILE-- +<?php +require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc'; +$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt'); + +$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); + +echo "NULL-Byte before first placeholder:\n"; +$s = $db->prepare("SELECT \"a\0b\", ?"); +$s->bindValue(1,"c"); +$s->execute(); +$r = $s->fetch(); +echo "Length of item 0: ".strlen($r[0]).", Value of item 1: ".$r[1]."\n"; + +echo "\nOpen comment:\n"; +try { + $s = $db->prepare("SELECT /*"); + $s->execute(); +} catch (Exception $e) { + echo "Error code: ".$e->getCode()."\n"; +} + +echo "\ndone!\n"; +?> +--EXPECTF-- +NULL-Byte before first placeholder: +Length of item 0: 3, Value of item 1: c + +Open comment: +Error code: 42000 + +done! -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php