mirror of
git://slackware.nl/current.git
synced 2024-12-27 09:59:16 +01:00
34e6259d47
a/btrfs-progs-6.1.2-x86_64-1.txz: Upgraded.
l/mozilla-nss-3.87-x86_64-1.txz: Upgraded.
Fixed memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures.
For more information, see:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
https://www.cve.org/CVERecord?id=CVE-2021-43527
(* Security fix *)
l/nodejs-19.4.0-x86_64-1.txz: Upgraded.
n/php-7.4.33-x86_64-2.txz: Rebuilt.
This update fixes a security issue:
PDO::quote() may return unquoted string.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-31631
(* Security fix *)
extra/php80/php80-8.0.27-x86_64-1.txz: Upgraded.
This update fixes a security issue:
PDO::quote() may return unquoted string.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-31631
(* Security fix *)
extra/php81/php81-8.1.14-x86_64-1.txz: Upgraded.
This update fixes bugs and a security issue:
PDO::quote() may return unquoted string.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-31631
(* Security fix *)
50 lines
1.8 KiB
Diff
50 lines
1.8 KiB
Diff
From 921b6813da3237a83e908998483f46ae3d8bacba Mon Sep 17 00:00:00 2001
|
|
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
|
Date: Mon, 31 Oct 2022 17:20:23 +0100
|
|
Subject: [PATCH] Fix #81740: PDO::quote() may return unquoted string
|
|
|
|
`sqlite3_snprintf()` expects its first parameter to be `int`; we need
|
|
to avoid overflow.
|
|
---
|
|
ext/pdo_sqlite/sqlite_driver.c | 3 +++
|
|
ext/pdo_sqlite/tests/bug81740.phpt | 17 +++++++++++++++++
|
|
2 files changed, 20 insertions(+)
|
|
create mode 100644 ext/pdo_sqlite/tests/bug81740.phpt
|
|
|
|
diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c
|
|
index 4233ff10ff2e..5a72a1eda23f 100644
|
|
--- a/ext/pdo_sqlite/sqlite_driver.c
|
|
+++ b/ext/pdo_sqlite/sqlite_driver.c
|
|
@@ -232,6 +232,9 @@ static char *pdo_sqlite_last_insert_id(pdo_dbh_t *dbh, const char *name, size_t
|
|
/* NB: doesn't handle binary strings... use prepared stmts for that */
|
|
static int sqlite_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unquotedlen, char **quoted, size_t *quotedlen, enum pdo_param_type paramtype )
|
|
{
|
|
+ if (unquotedlen > (INT_MAX - 3) / 2) {
|
|
+ return 0;
|
|
+ }
|
|
*quoted = safe_emalloc(2, unquotedlen, 3);
|
|
sqlite3_snprintf(2*unquotedlen + 3, *quoted, "'%q'", unquoted);
|
|
*quotedlen = strlen(*quoted);
|
|
diff --git a/ext/pdo_sqlite/tests/bug81740.phpt b/ext/pdo_sqlite/tests/bug81740.phpt
|
|
new file mode 100644
|
|
index 000000000000..99fb07c3048b
|
|
--- /dev/null
|
|
+++ b/ext/pdo_sqlite/tests/bug81740.phpt
|
|
@@ -0,0 +1,17 @@
|
|
+--TEST--
|
|
+Bug #81740 (PDO::quote() may return unquoted string)
|
|
+--SKIPIF--
|
|
+<?php
|
|
+if (!extension_loaded('pdo_sqlite')) print 'skip not loaded';
|
|
+if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
|
|
+?>
|
|
+--INI--
|
|
+memory_limit=-1
|
|
+--FILE--
|
|
+<?php
|
|
+$pdo = new PDO("sqlite::memory:");
|
|
+$string = str_repeat("a", 0x80000000);
|
|
+var_dump($pdo->quote($string));
|
|
+?>
|
|
+--EXPECT--
|
|
+bool(false)
|