1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
From d910f2d8dad3ec3351a6e583b1d157f8f286437c Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 31 Oct 2022 17:20:23 +0100
Subject: [PATCH 1/3] Fix #81740: PDO::quote() may return unquoted string
`sqlite3_snprintf()` expects its first parameter to be `int`; we need
to avoid overflow.
(cherry picked from commit 921b6813da3237a83e908998483f46ae3d8bacba)
(cherry picked from commit 7cb160efe19d3dfb8b92629805733ea186b55050)
---
ext/pdo_sqlite/sqlite_driver.c | 3 +++
ext/pdo_sqlite/tests/bug81740.phpt | 17 +++++++++++++++++
2 files changed, 20 insertions(+)
create mode 100644 ext/pdo_sqlite/tests/bug81740.phpt
diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c
index 09df8d7996..413c23c3d0 100644
--- a/ext/pdo_sqlite/sqlite_driver.c
+++ b/ext/pdo_sqlite/sqlite_driver.c
@@ -232,6 +232,9 @@ static char *pdo_sqlite_last_insert_id(pdo_dbh_t *dbh, const char *name, unsigne
/* NB: doesn't handle binary strings... use prepared stmts for that */
static int sqlite_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, int unquotedlen, char **quoted, int *quotedlen, enum pdo_param_type paramtype TSRMLS_DC)
{
+ if (unquotedlen > (INT_MAX - 3) / 2) {
+ return 0;
+ }
*quoted = safe_emalloc(2, unquotedlen, 3);
sqlite3_snprintf(2*unquotedlen + 3, *quoted, "'%q'", unquoted);
*quotedlen = strlen(*quoted);
diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt
new file mode 100644
index 0000000000..99fb07c304
--- /dev/null
+++ b/ext/pdo_sqlite/tests/bug81740.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #81740 (PDO::quote() may return unquoted string)
+--SKIPIF--
+<?php
+if (!extension_loaded('pdo_sqlite')) print 'skip not loaded';
+if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
+?>
+--INI--
+memory_limit=-1
+--FILE--
+<?php
+$pdo = new PDO("sqlite::memory:");
+$string = str_repeat("a", 0x80000000);
+var_dump($pdo->quote($string));
+?>
+--EXPECT--
+bool(false)
--
2.38.1
From f17a7dfa62b6b9aead71433cfe2563a5221e5228 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 20 Dec 2022 08:42:44 +0100
Subject: [PATCH 2/3] adapt test for 5.x
---
ext/pdo_sqlite/tests/bug81740.phpt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt
index 99fb07c304..08947e3512 100644
--- a/ext/pdo_sqlite/tests/bug81740.phpt
+++ b/ext/pdo_sqlite/tests/bug81740.phpt
@@ -10,7 +10,7 @@ memory_limit=-1
--FILE--
<?php
$pdo = new PDO("sqlite::memory:");
-$string = str_repeat("a", 0x80000000);
+$string = str_repeat("a", 0x7fffffff);
var_dump($pdo->quote($string));
?>
--EXPECT--
--
2.38.1
From 67b761ac0516914bf579df77dc548835c2e38e4a Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Mon, 19 Dec 2022 09:24:02 +0100
Subject: [PATCH 3/3] NEWS
(cherry picked from commit 7328f3a0344806b846bd05657bdce96e47810bf0)
(cherry picked from commit dbfbd99e91701c0a5613133c06305fd70545e9ad)
---
NEWS | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/NEWS b/NEWS
index eefb5b9b50..3d026cf70c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,12 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+Backported from 8.0.27
+
+- PDO/SQLite:
+ . Fixed bug #81740 (PDO::quote() may return unquoted string).
+ (CVE-2022-31631) (cmb)
+
Backported from 7.4.32
- Core:
--
2.38.1
|