Skip to content

Commit 25cb6f0

Browse files
smalyshevJulien Pauli
authored andcommitted
Merge branch 'PHP-5.4.40' into PHP-5.5.24
* PHP-5.4.40: Additional fix for bug #69324 More fixes for bug #69152 Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions) Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar) Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER) Fix bug #68486 and bug #69218 (segfault in apache2handler with apache 2.4) Fix bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault) Fixed bug #68901 (use after free) Fixed bug #68740 (NULL Pointer Dereference) Fix bug #66550 (SQLite prepared statement use-after-free) Better fix for #68601 for perf https://bitbucket.org/libgd/gd-libgd/commits/81e9a993f2893d651d225646378e3fd1b7465467 Fix bug #68601 buffer read overflow in gd_gif_in.c Revert "Merge branch 'PHP-5.4' of https://git.php.net/repository/php-src into PHP-5.4" Fixed bug #69293 Add ZEND_ARG_CALLABLE_INFO to allow internal function to type hint against callable.
1 parent b4554a0 commit 25cb6f0

File tree

3 files changed

+43
-0
lines changed

3 files changed

+43
-0
lines changed

ext/ereg/regex/regcomp.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1284,6 +1284,10 @@ int c;
12841284
register int ncols = (g->ncsets+(CHAR_BIT-1)) / CHAR_BIT;
12851285
register unsigned uc = (unsigned char)c;
12861286

1287+
if (!g->setbits) {
1288+
return(0);
1289+
}
1290+
12871291
for (i = 0, col = g->setbits; i < ncols; i++, col += g->csetsize)
12881292
if (col[uc] != 0)
12891293
return(1);

ext/sqlite3/sqlite3.c

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1279,6 +1279,8 @@ PHP_METHOD(sqlite3stmt, paramCount)
12791279
php_sqlite3_stmt *stmt_obj;
12801280
zval *object = getThis();
12811281
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
1282+
1283+
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
12821284

12831285
if (zend_parse_parameters_none() == FAILURE) {
12841286
return;
@@ -1295,6 +1297,8 @@ PHP_METHOD(sqlite3stmt, close)
12951297
php_sqlite3_stmt *stmt_obj;
12961298
zval *object = getThis();
12971299
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
1300+
1301+
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
12981302

12991303
if (zend_parse_parameters_none() == FAILURE) {
13001304
return;
@@ -1313,6 +1317,8 @@ PHP_METHOD(sqlite3stmt, reset)
13131317
php_sqlite3_stmt *stmt_obj;
13141318
zval *object = getThis();
13151319
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
1320+
1321+
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
13161322

13171323
if (zend_parse_parameters_none() == FAILURE) {
13181324
return;
@@ -1333,6 +1339,8 @@ PHP_METHOD(sqlite3stmt, clear)
13331339
php_sqlite3_stmt *stmt_obj;
13341340
zval *object = getThis();
13351341
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
1342+
1343+
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
13361344

13371345
if (zend_parse_parameters_none() == FAILURE) {
13381346
return;
@@ -1354,6 +1362,8 @@ PHP_METHOD(sqlite3stmt, readOnly)
13541362
php_sqlite3_stmt *stmt_obj;
13551363
zval *object = getThis();
13561364
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
1365+
1366+
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
13571367

13581368
if (zend_parse_parameters_none() == FAILURE) {
13591369
return;
@@ -1421,6 +1431,8 @@ PHP_METHOD(sqlite3stmt, bindParam)
14211431
zval *object = getThis();
14221432
struct php_sqlite3_bound_param param = {0};
14231433
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
1434+
1435+
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
14241436

14251437
param.param_number = -1;
14261438
param.type = SQLITE3_TEXT;
@@ -1452,6 +1464,8 @@ PHP_METHOD(sqlite3stmt, bindValue)
14521464
zval *object = getThis();
14531465
struct php_sqlite3_bound_param param = {0};
14541466
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
1467+
1468+
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
14551469

14561470
param.param_number = -1;
14571471
param.type = SQLITE3_TEXT;
@@ -1487,6 +1501,8 @@ PHP_METHOD(sqlite3stmt, execute)
14871501

14881502
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
14891503

1504+
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
1505+
14901506
if (zend_parse_parameters_none() == FAILURE) {
14911507
return;
14921508
}

ext/sqlite3/tests/bug66550.phpt

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
--TEST--
2+
Bug #66550 (SQLite prepared statement use-after-free)
3+
--SKIPIF--
4+
<?php
5+
if (!extension_loaded('sqlite3')) die('skip');
6+
?>
7+
--FILE--
8+
<?php
9+
10+
$db = new SQLite3(':memory:');
11+
12+
$db->exec('CREATE TABLE foo (id INTEGER, bar STRING)');
13+
14+
$stmt = $db->prepare('SELECT bar FROM foo WHERE id=:id');
15+
// Close the database connection and free the internal sqlite3_stmt object
16+
$db->close();
17+
// Access the sqlite3_stmt object via the php_sqlite3_stmt container
18+
$stmt->reset();
19+
?>
20+
==DONE==
21+
--EXPECTF--
22+
Warning: SQLite3Stmt::reset(): The SQLite3 object has not been correctly initialised in %s
23+
==DONE==

0 commit comments

Comments
 (0)