Fix GH-13984: Buffer size is now checked before memcmp #13991
Conversation
SakiTakamachi
force-pushed
the
fix/gh-13984
branch
from
94cfc0d to
6e41b7d
Compare
SakiTakamachi
force-pushed
the
fix/gh-13984
branch
from
6e41b7d to
e93c35b
Compare
ext/pdo_sqlite/sqlite_driver.c
Outdated
| @@ -751,7 +751,7 @@ static char *make_filename_safe(const char *filename) | |||
| } | |||
| return estrdup(filename); | |||
| } | |||
| if (*filename && memcmp(filename, ":memory:", sizeof(":memory:"))) { | |||
| if (*filename && (sizeof(filename) != sizeof(":memory:") || memcmp(filename, ":memory:", sizeof(":memory:")) != 0)) { | |||
There was a problem hiding this comment.
)))) was too hard to see, so I added != 0. The meaning remains the same.
There was a problem hiding this comment.
This is wrong, sizeof(filename) is not the length, it is the size of the pointer.
I also think the != 0 addition is wrong for memcmp?
There was a problem hiding this comment.
why bothering with memcmp anyway ? why not just any str*cmp ?
There was a problem hiding this comment.
This is wrong, sizeof(filename) is not the length, it is the size of the pointer.
Right. I entered sizeof with the intention of strlen...
I also think the != 0 addition is wrong for memcmp?
Since it becomes true when 1 and -1, it seems to be the same because it becomes true when != 0, but am I wrong?
why bothering with memcmp anyway ? why not just any str*cmp ?
I thought I had to convert it to zend_string, but there were some that could be used as char, so I fixed it.
There was a problem hiding this comment.
Right, I misread the original condition. So !=0 is fine.
ext/pdo_sqlite/tests/gh13991.phpt
Outdated
| pdo_sqlite | ||
| --FILE-- | ||
| <?php | ||
| $dbfile = 'z.db'; |
There was a problem hiding this comment.
I did this because specifying the absolute path would make the string longer and not be overloaded.
There was a problem hiding this comment.
Hm right... This can clash with local files though, so perhaps it's better to use 13991 as filename?
ext/pdo_sqlite/tests/gh13991.phpt
Outdated
| ?> | ||
| --CLEAN-- | ||
| <?php | ||
| @unlink(getcwd() . '/z.db'); |
There was a problem hiding this comment.
Is there a better way?
There was a problem hiding this comment.
We should be careful somehow that we don't destroy files or users running the tests.
There was a problem hiding this comment.
Changed to skip if a file with the same name already exists.
ext/pdo_sqlite/sqlite_driver.c
Outdated
| @@ -751,7 +751,7 @@ static char *make_filename_safe(const char *filename) | |||
| } | |||
| return estrdup(filename); | |||
| } | |||
| if (*filename && memcmp(filename, ":memory:", sizeof(":memory:"))) { | |||
| if (*filename && (sizeof(filename) != sizeof(":memory:") || memcmp(filename, ":memory:", sizeof(":memory:")) != 0)) { | |||
There was a problem hiding this comment.
This is wrong, sizeof(filename) is not the length, it is the size of the pointer.
I also think the != 0 addition is wrong for memcmp?
ext/pdo_sqlite/tests/gh13991.phpt
Outdated
| pdo_sqlite | ||
| --FILE-- | ||
| <?php | ||
| $dbfile = 'z.db'; |
There was a problem hiding this comment.
Hm right... This can clash with local files though, so perhaps it's better to use 13991 as filename?
ext/pdo_sqlite/tests/gh13991.phpt
Outdated
| ?> | ||
| --CLEAN-- | ||
| <?php | ||
| @unlink(getcwd() . '/z.db'); |
There was a problem hiding this comment.
We should be careful somehow that we don't destroy files or users running the tests.
No, it seems ASAN isn't ran on this branch on push. |
ext/pdo_sqlite/sqlite_driver.c
Outdated
| @@ -751,7 +751,7 @@ static char *make_filename_safe(const char *filename) | |||
| } | |||
| return estrdup(filename); | |||
| } | |||
| if (*filename && memcmp(filename, ":memory:", sizeof(":memory:"))) { | |||
| if (*filename && zend_binary_strcmp(filename, strlen(filename)-1, ":memory:", strlen(":memory:")-1)) { | |||
There was a problem hiding this comment.
I know very little pdo sqlite, but I do not get why -1 for the 2 strlen ? Legit question :)
ext/pdo_sqlite/sqlite_driver.c
Outdated
| @@ -751,7 +751,7 @@ static char *make_filename_safe(const char *filename) | |||
| } | |||
| return estrdup(filename); | |||
| } | |||
| if (*filename && memcmp(filename, ":memory:", sizeof(":memory:"))) { | |||
| if (*filename && zend_binary_strcmp(filename, strlen(filename)-1, ":memory:", strlen(":memory:")-1)) { | |||
There was a problem hiding this comment.
Subtracting 1 from strlen is not necessary, the subtraction of 1 from sizeof is because sizeof also counts the NULL terminator but strlen does not.
There was a problem hiding this comment.
I was thinking about that same kind of confusion, just wanted to confirm.
There was a problem hiding this comment.
It seems like I'm a little too sleepy....Sorry for making me check again and again. (AM 1:43 JST)
There was a problem hiding this comment.
it s ok Saki :) relax, as nielsdos mentioned, an "attacker" can t do anything really malicious here. no rush :)
ext/pdo_sqlite/sqlite_driver.c
Outdated
| @@ -751,7 +751,7 @@ static char *make_filename_safe(const char *filename) | |||
| } | |||
| return estrdup(filename); | |||
| } | |||
| if (*filename && memcmp(filename, ":memory:", sizeof(":memory:"))) { | |||
| if (*filename && zend_binary_strcmp(filename, strlen(filename), ":memory:", strlen(":memory:"))) { | |||
There was a problem hiding this comment.
I think I prefer just a regular call to strcmp, simpler and prevents computing the length too.
The binary strcmp doesn't rlly have an advantage when using strlen.
|
Thanks for the check. I'll merge it tomorrow! |
fixes #13984
This was also reproduced in 8.2.
Can the push test detect overflow?