mirror of
https://github.com/php/php-src.git
synced 2026-03-26 01:02:25 +01:00
Merge branch 'PHP-5.4.40' into PHP-5.5.24
* PHP-5.4.40:
Additional fix for bug #69324
More fixes for bug #69152
Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions)
Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar)
Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER)
Fix bug #68486 and bug #69218 (segfault in apache2handler with apache 2.4)
Fix bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault)
Fixed bug #68901 (use after free)
Fixed bug #68740 (NULL Pointer Dereference)
Fix bug #66550 (SQLite prepared statement use-after-free)
Better fix for #68601 for perf 81e9a993f2
Fix bug #68601 buffer read overflow in gd_gif_in.c
Revert "Merge branch 'PHP-5.4' of https://git.php.net/repository/php-src into PHP-5.4"
Fixed bug #69293
Add ZEND_ARG_CALLABLE_INFO to allow internal function to type hint against callable.
This commit is contained in:
Stanislav Malyshev
committed by
Julien Pauli
Julien Pauli
parent
b4554a022e
commit
25cb6f001f
@@ -1284,6 +1284,10 @@ int c;
|
||||
register int ncols = (g->ncsets+(CHAR_BIT-1)) / CHAR_BIT;
|
||||
register unsigned uc = (unsigned char)c;
|
||||
|
||||
if (!g->setbits) {
|
||||
return(0);
|
||||
}
|
||||
|
||||
for (i = 0, col = g->setbits; i < ncols; i++, col += g->csetsize)
|
||||
if (col[uc] != 0)
|
||||
return(1);
|
||||
|
||||
@@ -1279,6 +1279,8 @@ PHP_METHOD(sqlite3stmt, paramCount)
|
||||
php_sqlite3_stmt *stmt_obj;
|
||||
zval *object = getThis();
|
||||
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
|
||||
|
||||
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
|
||||
|
||||
if (zend_parse_parameters_none() == FAILURE) {
|
||||
return;
|
||||
@@ -1295,6 +1297,8 @@ PHP_METHOD(sqlite3stmt, close)
|
||||
php_sqlite3_stmt *stmt_obj;
|
||||
zval *object = getThis();
|
||||
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
|
||||
|
||||
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
|
||||
|
||||
if (zend_parse_parameters_none() == FAILURE) {
|
||||
return;
|
||||
@@ -1313,6 +1317,8 @@ PHP_METHOD(sqlite3stmt, reset)
|
||||
php_sqlite3_stmt *stmt_obj;
|
||||
zval *object = getThis();
|
||||
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
|
||||
|
||||
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
|
||||
|
||||
if (zend_parse_parameters_none() == FAILURE) {
|
||||
return;
|
||||
@@ -1333,6 +1339,8 @@ PHP_METHOD(sqlite3stmt, clear)
|
||||
php_sqlite3_stmt *stmt_obj;
|
||||
zval *object = getThis();
|
||||
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
|
||||
|
||||
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
|
||||
|
||||
if (zend_parse_parameters_none() == FAILURE) {
|
||||
return;
|
||||
@@ -1354,6 +1362,8 @@ PHP_METHOD(sqlite3stmt, readOnly)
|
||||
php_sqlite3_stmt *stmt_obj;
|
||||
zval *object = getThis();
|
||||
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
|
||||
|
||||
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
|
||||
|
||||
if (zend_parse_parameters_none() == FAILURE) {
|
||||
return;
|
||||
@@ -1421,6 +1431,8 @@ PHP_METHOD(sqlite3stmt, bindParam)
|
||||
zval *object = getThis();
|
||||
struct php_sqlite3_bound_param param = {0};
|
||||
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
|
||||
|
||||
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
|
||||
|
||||
param.param_number = -1;
|
||||
param.type = SQLITE3_TEXT;
|
||||
@@ -1452,6 +1464,8 @@ PHP_METHOD(sqlite3stmt, bindValue)
|
||||
zval *object = getThis();
|
||||
struct php_sqlite3_bound_param param = {0};
|
||||
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
|
||||
|
||||
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
|
||||
|
||||
param.param_number = -1;
|
||||
param.type = SQLITE3_TEXT;
|
||||
@@ -1487,6 +1501,8 @@ PHP_METHOD(sqlite3stmt, execute)
|
||||
|
||||
stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
|
||||
|
||||
SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
|
||||
|
||||
if (zend_parse_parameters_none() == FAILURE) {
|
||||
return;
|
||||
}
|
||||
|
||||
23
ext/sqlite3/tests/bug66550.phpt
Normal file
23
ext/sqlite3/tests/bug66550.phpt
Normal file
@@ -0,0 +1,23 @@
|
||||
--TEST--
|
||||
Bug #66550 (SQLite prepared statement use-after-free)
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded('sqlite3')) die('skip');
|
||||
?>
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
$db = new SQLite3(':memory:');
|
||||
|
||||
$db->exec('CREATE TABLE foo (id INTEGER, bar STRING)');
|
||||
|
||||
$stmt = $db->prepare('SELECT bar FROM foo WHERE id=:id');
|
||||
// Close the database connection and free the internal sqlite3_stmt object
|
||||
$db->close();
|
||||
// Access the sqlite3_stmt object via the php_sqlite3_stmt container
|
||||
$stmt->reset();
|
||||
?>
|
||||
==DONE==
|
||||
--EXPECTF--
|
||||
Warning: SQLite3Stmt::reset(): The SQLite3 object has not been correctly initialised in %s
|
||||
==DONE==
|
||||
Reference in New Issue
Block a user