Fixed Bug #64949 (Buffer overflow in _pdo_pgsql_error)

remicollet · remicollet · commit 1c623e3b0712 · 2013-05-31T08:39:32.000+02:00
There is a lot of call such as:
	pdo_pgsql_error(dbh, PGRES_FATAL_ERROR, "Copy command failed");
Where the 3rd paramater is a error message string where a sqlstate (5 chars)
is expected. This cause a segfault in copy_from.phpt and copy_to.phpt.

This is only a sanity check to avoid buffer overflow, but obviously this
calls need to be fixed (using NULL or a correct sqlstate).
diff --git a/NEWS b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2013, PHP 5.3.27
 
+- PDO_pgsql:
+  . Fixed Bug #64949 (Buffer overflow in _pdo_pgsql_error). (Remi)
+
 ?? ??? 2013, PHP 5.3.26
 
 ### DO NOT ADD ENTRIES HERE, ADD THEM ABOVE FOR 5.3.27 ###
diff --git a/ext/pdo_pgsql/pgsql_driver.c b/ext/pdo_pgsql/pgsql_driver.c
@@ -76,7 +76,7 @@ int _pdo_pgsql_error(pdo_dbh_t *dbh, pdo_stmt_t *stmt, int errcode, const char *
 		einfo->errmsg = NULL;
 	}
 
-	if (sqlstate == NULL) {
+	if (sqlstate == NULL || strlen(sqlstate) >= sizeof(pdo_error_type)) {
 		strcpy(*pdo_err, "HY000");
 	}
 	else {

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ int _pdo_pgsql_error(pdo_dbh_t dbh, pdo_stmt_t stmt, int errcode, const char *`
`76`	`76`	`einfo->errmsg = NULL;`
`77`	`77`	`}`
`78`	`78`
`79`		`- if (sqlstate == NULL) {`
	`79`	`+ if (sqlstate == NULL \|\| strlen(sqlstate) >= sizeof(pdo_error_type)) {`
`80`	`80`	`strcpy(*pdo_err, "HY000");`
`81`	`81`	`}`
`82`	`82`	`else {`