On Tue, 3 Dec 2002, Michael Sisolak wrote:
> Frank Kromann has investigated these issues and has made fixes in the
> CVS version of ext/mssql.
Are these fixes merged into the branch?
Derick
> --- Michael Sisolak <[EMAIL PROTECTED]> wrote:
> > Testing my existing SQL Server based sites with 4.3.0RC2 resulted in
> > many memory access violations and crashes. I believe that I have
> > tracked these down to two different changes made to the MSSQL
> > extension
> > since 4.2.3:
> >
> > 1) In version 1.82 of php_mssql.c there were 6 mallocs that were
> > changed from "emalloc(res_length + 1);" to "emalloc(res_length);". I
> > believe, however, that the code that uses those memory blocks in at
> > least four of the cases required that extra space. This is the code
> > as
> > it is now for two of the changes in 4.3.0RC2:
> >
> > res_buf = (unsigned char *) emalloc(res_length);
> > bin = ((DBBINARY *)dbdata(mssql_ptr->link, offset));
> > memcpy(res_buf, bin, res_length);
> > res_buf[res_length] = '\0';
> >
> > It's the setting of res_buf[res_length] illegal, as that would be
> > beyond the bounds of emalloc(res_length)? Also this code (appearing
> > in
> > two of the changes):
> >
> > res_length = 19;
> > res_buf = (unsigned char *) emalloc(res_length);
> > sprintf(res_buf, "%d-%02d-%02d %02d:%02d:%02d" , . . .
> >
> > Since the length of the character string is going to be 19
> > characters,
> > isn't the sprintf going to write an ASCIIZ ending beyond the size of
> > res_buf?
> >
> > Does the way emalloc() works take care of these problems? Adding the
> > "+ 1" back to these four emalloc() calls stopped one set of crashes.
> >
> > 2) In version 1.83 of php_mssql.c the mssql_query() function was
> > altered from:
> >
> > if ((num_fields = dbnumcols(mssql_ptr->link)) <= 0) {
> > RETURN_TRUE;
> > }
> >
> > to:
> >
> > if ((num_fields = dbnumcols(mssql_ptr->link)) <= 0 &&
> > !dbdataready(mssql_ptr->link)) {
> > RETURN_TRUE;
> > }
> >
> > The CVS comment indicates that this change was for "fixing the
> > mssql_query to handle multiple results correct if the first result
> > does
> > not return any data." If I now call mssql_query() with a query that
> > doesn't return any values (like a SQL-T EXEC call), however, PHP will
> > crash (removing the new dbdataready() check eliminates the crash).
> >
> > Michael Sisolak
> > [EMAIL PROTECTED]
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> > http://mailplus.yahoo.com
> >
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
-------------------------------------------------------------------------
Derick Rethans http://derickrethans.nl/
PHP Magazine - PHP Magazine for Professionals http://php-mag.net/
-------------------------------------------------------------------------
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
