Fixed bug #41285 (Improved fix for CVE-2007-1887 to work with non-bundled

sqlite2 lib).

NEWS

@@ -6,6 +6,8 @@ PHP                                                                        NEWS
 - Fixed altering $this via argument named "this". (Dmitry)
 - Fixed bug #41287 (Namespace functions don't allow xmlns defintion to be 
   optional). (Rob)
+- Fixed bug #41285 (Improved fix for CVE-2007-1887 to work with non-bundled
+  sqlite2 lib). (Ilia)
 - Fixed bug #41283 (Bug with serializing array key that are doubles or
   floats). (Ilia)
 - Fixed bug #41257: (lookupNamespaceURI does not work as expected). (Rob)

ext/sqlite/sess_sqlite.c

@@ -110,9 +110,13 @@ PS_READ_FUNC(sqlite)
 		case SQLITE_ROW:
 			if (rowdata[0] != NULL) {
 				*vallen = strlen(rowdata[0]);
-				*val = emalloc(*vallen);
+				if (*vallen) {
-				*vallen = sqlite_decode_binary(rowdata[0], *val);
+					*val = emalloc(*vallen);
-				(*val)[*vallen] = '\0';
+					*vallen = sqlite_decode_binary(rowdata[0], *val);
+					(*val)[*vallen] = '\0';
+				} else {
+					*val = STR_EMPTY_ALLOC();
+				}
 			}
 			break;
 		default:

ext/sqlite/sqlite.c

@@ -73,7 +73,7 @@ extern int sqlite_encode_binary(const unsigned char *in, int n, unsigned char *o
 extern int sqlite_decode_binary(const unsigned char *in, unsigned char *out);
 
 #define php_sqlite_encode_binary(in, n, out) sqlite_encode_binary((const unsigned char *)in, n, (unsigned char *)out)
-#define php_sqlite_decode_binary(in, out)    sqlite_decode_binary((const unsigned char *)in, (unsigned char *)out)
+#define php_sqlite_decode_binary(in, out) in && *in ? sqlite_decode_binary((const unsigned char *)in, (unsigned char *)out) : 0
 
 static int sqlite_count_elements(zval *object, long *count TSRMLS_DC);