archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.1'

Browse source
This commit is contained in:
Stanislav Malyshev 2022-06-06 01:11:49 -06:00
commit 70d03423c7
3 changed files with 32 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
ext/mysqlnd/mysqlnd_wireprotocol.c
View file

@ -776,7 +776,8 @@ php_mysqlnd_change_auth_response_write(MYSQLND_CONN_DATA * conn, void * _packet)
MYSQLND_VIO * vio = conn->vio; MYSQLND_VIO * vio = conn->vio;
MYSQLND_STATS * stats = conn->stats; MYSQLND_STATS * stats = conn->stats;
MYSQLND_CONNECTION_STATE * connection_state = &conn->state; MYSQLND_CONNECTION_STATE * connection_state = &conn->state;
zend_uchar * const buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len); size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE;
zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size);
zend_uchar * p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */ zend_uchar * p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */
DBG_ENTER("php_mysqlnd_change_auth_response_write"); DBG_ENTER("php_mysqlnd_change_auth_response_write");

6
ext/pgsql/pgsql.c
View file

@ -1201,7 +1201,7 @@ PHP_FUNCTION(pg_query_params)
} else { } else {
zend_string *param_str = zval_try_get_string(tmp); zend_string *param_str = zval_try_get_string(tmp);
if (!param_str) { if (!param_str) {
_php_pgsql_free_params(params, num_params); _php_pgsql_free_params(params, i);
RETURN_THROWS(); RETURN_THROWS();
} }
params[i] = estrndup(ZSTR_VAL(param_str), ZSTR_LEN(param_str)); params[i] = estrndup(ZSTR_VAL(param_str), ZSTR_LEN(param_str));
@ -3918,8 +3918,8 @@ PHP_FUNCTION(pg_send_execute)
params[i] = NULL; params[i] = NULL;
} else { } else {
zend_string *tmp_str = zval_try_get_string(tmp); zend_string *tmp_str = zval_try_get_string(tmp);
if (UNEXPECTED(!tmp)) { if (UNEXPECTED(!tmp_str)) {
_php_pgsql_free_params(params, num_params); _php_pgsql_free_params(params, i);
return; return;
} }
params[i] = estrndup(ZSTR_VAL(tmp_str), ZSTR_LEN(tmp_str)); params[i] = estrndup(ZSTR_VAL(tmp_str), ZSTR_LEN(tmp_str));

27
ext/pgsql/tests/bug81720.phpt Normal file
View file

@ -0,0 +1,27 @@
--TEST--
Bug #81720 (Uninitialized array in pg_query_params() leading to RCE)
--SKIPIF--
<?php include("skipif.inc"); ?>
--FILE--
<?php
include('config.inc');
$conn = pg_connect($conn_str);
try {
pg_query_params($conn, 'SELECT $1, $2', [1, new stdClass()]);
} catch (Throwable $ex) {
echo $ex->getMessage(), PHP_EOL;
}
try {
pg_send_prepare($conn, "my_query", 'SELECT $1, $2');
pg_get_result($conn);
pg_send_execute($conn, "my_query", [1, new stdClass()]);
} catch (Throwable $ex) {
echo $ex->getMessage(), PHP_EOL;
}
?>
--EXPECT--
Object of class stdClass could not be converted to string
Object of class stdClass could not be converted to string