#46437 [Opn]: data leakage because of nonexisting boundary checking in statements for MySQL41

2008-10-31 Thread hostmaster at uuims dot net 
 ID:   46437
 User updated by:  hostmaster at uuims dot net
 Reported By:  hostmaster at uuims dot net
 Status:   Open
 Bug Type: MySQL related
 Operating System: Fedora Core 4
 PHP Version:  5.2.6
 New Comment:

My email address is hostmaster at uuism dot net.


Previous Comments:


[2008-10-31 17:50:58] hostmaster at uuims dot net

Description:

When I run ext/mysqli/tests/bug38710.phpt with PHP 5.2.6 and MySQL
4.1.20, the scripts fails in a manner not anticipated by the test
script.

The $text consists of 8240 a's followed by a string of non-printable
characters (cat -v shows "[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL 
PROTECTED]@^M
[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL 
PROTECTED]@^@"), followed
by more a's with the non-printable characters repeated every 8000 a's or
so.

The string $text is not equal to str_repeat('a', 8191) for
mysqli_get_server_version($db)=401020, so the ACTUAL output is:

int(10)
Done

Thanks.

Jim

Reproduce code:
---
stmt_init();
$qry->prepare("SELECT REPEAT('a',10)");
$qry->execute();
$qry->bind_result($text);
$qry->fetch();
if ($text !== str_repeat('a', mysqli_get_server_version($db) > 50110?
10:(mysqli_get_server_version($db)>=5? 8193:8191))) {
var_dump(strlen($text));
}
echo "Done";
?>


Expected result:

It should pass since this is expected behavior for MySQL prior to
version 5.1

Actual result:
--
It failed





-- 
Edit this bug report at http://bugs.php.net/?id=46437&edit=1

#46437 [NEW]: data leakage because of nonexisting boundary checking in statements for MySQL41

2008-10-31 Thread hostmaster at uuims dot net 
From: hostmaster at uuims dot net
Operating system: Fedora Core 4
PHP version:  5.2.6
PHP Bug Type: MySQL related
Bug description:  data leakage because of nonexisting boundary checking in 
statements for MySQL41

Description:

When I run ext/mysqli/tests/bug38710.phpt with PHP 5.2.6 and MySQL 4.1.20,
the scripts fails in a manner not anticipated by the test script.

The $text consists of 8240 a's followed by a string of non-printable
characters (cat -v shows "[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL 
PROTECTED]@^M
[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL 
PROTECTED]@^@"), followed by
more a's with the non-printable characters repeated every 8000 a's or so.

The string $text is not equal to str_repeat('a', 8191) for
mysqli_get_server_version($db)=401020, so the ACTUAL output is:

int(10)
Done

Thanks.

Jim

Reproduce code:
---
stmt_init();
$qry->prepare("SELECT REPEAT('a',10)");
$qry->execute();
$qry->bind_result($text);
$qry->fetch();
if ($text !== str_repeat('a', mysqli_get_server_version($db) > 50110?
10:(mysqli_get_server_version($db)>=5? 8193:8191))) {
var_dump(strlen($text));
}
echo "Done";
?>


Expected result:

It should pass since this is expected behavior for MySQL prior to version
5.1

Actual result:
--
It failed

-- 
Edit bug report at http://bugs.php.net/?id=46437&edit=1
-- 
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=46437&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=46437&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=46437&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=46437&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=46437&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=46437&r=alreadyfixed
Need backtrace:  
http://bugs.php.net/fix.php?id=46437&r=needtrace
Need Reproduce Script:   
http://bugs.php.net/fix.php?id=46437&r=needscript
Try newer version:   
http://bugs.php.net/fix.php?id=46437&r=oldversion
Not developer issue: 
http://bugs.php.net/fix.php?id=46437&r=support
Expected behavior:   
http://bugs.php.net/fix.php?id=46437&r=notwrong
Not enough info: 
http://bugs.php.net/fix.php?id=46437&r=notenoughinfo
Submitted twice: 
http://bugs.php.net/fix.php?id=46437&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=46437&r=globals
PHP 4 support discontinued:  http://bugs.php.net/fix.php?id=46437&r=php4
Daylight Savings:http://bugs.php.net/fix.php?id=46437&r=dst
IIS Stability:   
http://bugs.php.net/fix.php?id=46437&r=isapi
Install GNU Sed: 
http://bugs.php.net/fix.php?id=46437&r=gnused
Floating point limitations:  
http://bugs.php.net/fix.php?id=46437&r=float
No Zend Extensions:  
http://bugs.php.net/fix.php?id=46437&r=nozend
MySQL Configuration Error:   
http://bugs.php.net/fix.php?id=46437&r=mysqlcfg