archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.3' into PHP-8.4

Browse source 
* PHP-8.3:
  Fix GH-16450: PDO_ODBC can inject garbage into field values
This commit is contained in:
Christoph M. Becker 2024-10-31 16:17:27 +01:00
commit 331bd9571a
No known key found for this signature in database
GPG key ID: D66C9593118BCCB6
4 changed files with 42 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
NEWS
View file

@ -27,6 +27,9 @@ PHP NEWS
. Fixed bug GH-16167 (Prevent mixing PDO sub-classes with different DSN). . Fixed bug GH-16167 (Prevent mixing PDO sub-classes with different DSN).
(kocsismate) (kocsismate)
- PDO_ODBC:
. Fixed bug GH-16450 (PDO_ODBC can inject garbage into field values). (cmb)
- SPL: - SPL:
. Fixed bug GH-16588 (UAF in Observer->serialize). (nielsdos) . Fixed bug GH-16588 (UAF in Observer->serialize). (nielsdos)
. Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed . Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed

7
ext/pdo_odbc/odbc_stmt.c
View file

@ -689,11 +689,12 @@ static int odbc_stmt_get_col(pdo_stmt_t *stmt, int colno, zval *result, enum pdo
/* read block. 256 bytes => 255 bytes are actually read, the last 1 is NULL */ /* read block. 256 bytes => 255 bytes are actually read, the last 1 is NULL */
rc = SQLGetData(S->stmt, colno+1, C->is_unicode ? SQL_C_BINARY : SQL_C_CHAR, buf2, 256, &C->fetched_len); rc = SQLGetData(S->stmt, colno+1, C->is_unicode ? SQL_C_BINARY : SQL_C_CHAR, buf2, 256, &C->fetched_len);
/* adjust `used` in case we have length info from the driver */ /* adjust `used` in case we have proper length info from the driver */
if (orig_fetched_len >= 0 && C->fetched_len >= 0) { if (orig_fetched_len >= 0 && C->fetched_len >= 0) {
SQLLEN fixed_used = orig_fetched_len - C->fetched_len; SQLLEN fixed_used = orig_fetched_len - C->fetched_len;
ZEND_ASSERT(fixed_used <= used + 1); if (fixed_used <= used + 1) {
used = fixed_used; used = fixed_used;
}
} }
/* resize output buffer and reassemble block */ /* resize output buffer and reassemble block */

35
ext/pdo_odbc/tests/gh16450.phpt Normal file
View file

@ -0,0 +1,35 @@
--TEST--
GH-16450 (PDO_ODBC can inject garbage into field values)
--EXTENSIONS--
pdo_odbc
--SKIPIF--
<?php
$dbpath = __DIR__ . "/test.mdb";
try {
new PDO("odbc:Driver={Microsoft Access Driver (*.mdb, *.accdb)};Dbq=$dbpath;Uid=Admin;Pwd=;");
} catch (PDOException $ex) {
die("skip Cannot connect to MS Access database");
}
?>
--FILE--
<?php
$dbpath = __DIR__ . "/test.mdb";
$pdo = new PDO("odbc:Driver={Microsoft Access Driver (*.mdb, *.accdb)};Dbq=$dbpath;Uid=Admin;Pwd=;");
$pdo->exec("CREATE TABLE gh16450 (Id INT, MyLongText LONGCHAR)");
$pdo->exec(sprintf("INSERT INTO gh16450 VALUES (1, '%s')", str_repeat("_", 2048)));
$pdo->exec(sprintf("INSERT INTO gh16450 VALUES (1, '%s')", str_repeat("_", 2049)));
$stmt = $pdo->query("SELECT MyLongText FROM gh16450");
var_dump($stmt->fetchColumn(0));
var_dump($stmt->fetchColumn(0));
?>
--CLEAN--
<?php
$dbpath = __DIR__ . "/test.mdb";
$pdo = new PDO("odbc:Driver={Microsoft Access Driver (*.mdb, *.accdb)};Dbq=$dbpath;Uid=Admin;Pwd=;");
$pdo->exec("DROP TABLE gh16450");
?>
--EXPECT--
string(2048) "________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________"
string(2049) "_________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________"

BIN
ext/pdo_odbc/tests/test.mdb Normal file
View file

Binary file not shown.