Skip to content

Commit fda91a0

Browse files
SakiTakamachiSakiTakamachi
committed
Fix GH-13984: Buffer size is now checked before memcmp (#13991)
Fixed an issue where a buffer overflow occurred when a string shorter than `:memory:` was passed as the db name of pdo_sqlite. fixed #13984 closes #13991
1 parent 1acd7a0 commit fda91a0

File tree

3 files changed

+22
-1
lines changed

3 files changed

+22
-1
lines changed

NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,9 @@ PHP NEWS
2929
. Fixed bug GH-10495 (feof on OpenSSL stream hangs indefinitely).
3030
(Jakub Zelenka)
3131

32+
- PDO SQLite:
33+
. Fix GH-13984 (Buffer size is now checked before memcmp). (Saki Takamachi)
34+
3235
- Phar:
3336
. Fixed bug GH-13836 (Renaming a file in a Phar to an already existing
3437
filename causes a NULL pointer dereference). (nielsdos)

ext/pdo_sqlite/sqlite_driver.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -751,7 +751,7 @@ static char *make_filename_safe(const char *filename)
751751
}
752752
return estrdup(filename);
753753
}
754-
if (*filename && memcmp(filename, ":memory:", sizeof(":memory:"))) {
754+
if (*filename && strcmp(filename, ":memory:")) {
755755
char *fullpath = expand_filepath(filename, NULL);
756756

757757
if (!fullpath) {

ext/pdo_sqlite/tests/gh13991.phpt

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
--TEST--
2+
Fix GH-13984: Buffer size is now checked before memcmp
3+
--EXTENSIONS--
4+
pdo_sqlite
5+
--SKIPIF--
6+
<?php if (file_exists(getcwd() . '/13991db')) die('skip File "13991db" already exists.'); ?>
7+
--FILE--
8+
<?php
9+
$dbfile = '13991db';
10+
$db = new PDO('sqlite:' . $dbfile, null, null, [PDO::ATTR_PERSISTENT => true]);
11+
echo 'done!';
12+
?>
13+
--CLEAN--
14+
<?php
15+
@unlink(getcwd() . '/13991db');
16+
?>
17+
--EXPECT--
18+
done!

0 commit comments

Comments
 (0)