|
 |
d2399a |
From 1c623e3b07128e78362911ff5754e7eee57fa8bb Mon Sep 17 00:00:00 2001
|
|
|
d2399a |
From: Remi Collet <remi@php.net>
|
|
|
d2399a |
Date: Fri, 31 May 2013 08:39:32 +0200
|
|
|
d2399a |
Subject: [PATCH] Fixed Bug #64949 (Buffer overflow in _pdo_pgsql_error)
|
|
|
d2399a |
|
|
|
d2399a |
There is a lot of call such as:
|
|
|
d2399a |
pdo_pgsql_error(dbh, PGRES_FATAL_ERROR, "Copy command failed");
|
|
|
d2399a |
Where the 3rd paramater is a error message string where a sqlstate (5 chars)
|
|
|
d2399a |
is expected. This cause a segfault in copy_from.phpt and copy_to.phpt.
|
|
|
d2399a |
|
|
|
d2399a |
This is only a sanity check to avoid buffer overflow, but obviously this
|
|
|
d2399a |
calls need to be fixed (using NULL or a correct sqlstate).
|
|
|
d2399a |
---
|
|
|
d2399a |
NEWS | 3 +++
|
|
|
d2399a |
ext/pdo_pgsql/pgsql_driver.c | 2 +-
|
|
|
d2399a |
2 files changed, 4 insertions(+), 1 deletion(-)
|
|
|
d2399a |
|
|
|
d2399a |
diff --git a/ext/pdo_pgsql/pgsql_driver.c b/ext/pdo_pgsql/pgsql_driver.c
|
|
|
d2399a |
index 645fd36..55f4418 100644
|
|
|
d2399a |
--- a/ext/pdo_pgsql/pgsql_driver.c
|
|
|
d2399a |
+++ b/ext/pdo_pgsql/pgsql_driver.c
|
|
|
d2399a |
@@ -76,7 +76,7 @@ int _pdo_pgsql_error(pdo_dbh_t *dbh, pdo_stmt_t *stmt, int errcode, const char *
|
|
|
d2399a |
einfo->errmsg = NULL;
|
|
|
d2399a |
}
|
|
|
d2399a |
|
|
|
d2399a |
- if (sqlstate == NULL) {
|
|
|
d2399a |
+ if (sqlstate == NULL || strlen(sqlstate) >= sizeof(pdo_error_type)) {
|
|
|
d2399a |
strcpy(*pdo_err, "HY000");
|
|
|
d2399a |
}
|
|
|
d2399a |
else {
|
|
|
d2399a |
--
|
|
|
d2399a |
1.7.11.5
|
|
|
d2399a |
|