af9dc8
From 1c623e3b07128e78362911ff5754e7eee57fa8bb Mon Sep 17 00:00:00 2001
af9dc8
From: Remi Collet <remi@php.net>
af9dc8
Date: Fri, 31 May 2013 08:39:32 +0200
af9dc8
Subject: [PATCH] Fixed Bug #64949 (Buffer overflow in _pdo_pgsql_error)
af9dc8
af9dc8
There is a lot of call such as:
af9dc8
	pdo_pgsql_error(dbh, PGRES_FATAL_ERROR, "Copy command failed");
af9dc8
Where the 3rd paramater is a error message string where a sqlstate (5 chars)
af9dc8
is expected. This cause a segfault in copy_from.phpt and copy_to.phpt.
af9dc8
af9dc8
This is only a sanity check to avoid buffer overflow, but obviously this
af9dc8
calls need to be fixed (using NULL or a correct sqlstate).
af9dc8
---
af9dc8
 NEWS                         | 3 +++
af9dc8
 ext/pdo_pgsql/pgsql_driver.c | 2 +-
af9dc8
 2 files changed, 4 insertions(+), 1 deletion(-)
af9dc8
af9dc8
diff --git a/ext/pdo_pgsql/pgsql_driver.c b/ext/pdo_pgsql/pgsql_driver.c
af9dc8
index 645fd36..55f4418 100644
af9dc8
--- a/ext/pdo_pgsql/pgsql_driver.c
af9dc8
+++ b/ext/pdo_pgsql/pgsql_driver.c
af9dc8
@@ -76,7 +76,7 @@ int _pdo_pgsql_error(pdo_dbh_t *dbh, pdo_stmt_t *stmt, int errcode, const char *
af9dc8
 		einfo->errmsg = NULL;
af9dc8
 	}
af9dc8
 
af9dc8
-	if (sqlstate == NULL) {
af9dc8
+	if (sqlstate == NULL || strlen(sqlstate) >= sizeof(pdo_error_type)) {
af9dc8
 		strcpy(*pdo_err, "HY000");
af9dc8
 	}
af9dc8
 	else {
af9dc8
-- 
af9dc8
1.7.11.5
af9dc8