File: CVE-2012-3450.patch

package info (click to toggle)
php5 5.3.3.1-7%2Bsqueeze29
  • links: PTS, VCS
  • area: main
  • in suites: squeeze-lts
  • size: 123,520 kB
  • ctags: 55,742
  • sloc: ansic: 633,963; php: 19,620; sh: 11,344; xml: 5,816; cpp: 2,400; yacc: 1,745; exp: 1,514; makefile: 1,019; pascal: 623; awk: 537; sql: 22
file content (86 lines) | stat: -rw-r--r-- 2,246 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
--- a/ext/pdo/pdo_sql_parser.re
+++ b/ext/pdo/pdo_sql_parser.re
@@ -32,12 +32,12 @@
 
 #define YYCTYPE         unsigned char
 #define YYCURSOR        cursor
-#define YYLIMIT         cursor
+#define YYLIMIT         s->end
 #define YYMARKER        s->ptr
-#define YYFILL(n)
+#define YYFILL(n)		{ RET(PDO_PARSER_EOI); }
 
 typedef struct Scanner {
-	char 	*ptr, *cur, *tok;
+	char 	*ptr, *cur, *tok, *end;
 } Scanner;
 
 static int scan(Scanner *s) 
@@ -50,7 +50,6 @@ static int scan(Scanner *s)
 	QUESTION	= [?];
 	SPECIALS	= [:?"'];
 	MULTICHAR	= [:?];
-	EOF			= [\000];
 	ANYNOEOF	= [\001-\377];
 	*/
 
@@ -62,7 +61,6 @@ static int scan(Scanner *s)
 		QUESTION								{ RET(PDO_PARSER_BIND_POS); }
 		SPECIALS								{ SKIP_ONE(PDO_PARSER_TEXT); }
 		(ANYNOEOF\SPECIALS)+ 					{ RET(PDO_PARSER_TEXT); }
-		EOF										{ RET(PDO_PARSER_EOI); }
 	*/	
 }
 
@@ -92,6 +90,7 @@ PDO_API int pdo_parse_params(pdo_stmt_t
 
 	ptr = *outquery;
 	s.cur = inquery;
+	s.end = inquery + inquery_len + 1;
 
 	/* phase 1: look for args */
 	while((t = scan(&s)) != PDO_PARSER_EOI) {
--- /dev/null
+++ b/ext/pdo_mysql/tests/bug_61755.phpt
@@ -0,0 +1,41 @@
+--TEST--
+Bug #61755 (A parsing bug in the prepared statements can lead to access violations)
+--SKIPIF--
+<?php
+if (!extension_loaded('pdo') || !extension_loaded('pdo_mysql')) die('skip not loaded');
+require dirname(__FILE__) . '/config.inc';
+require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
+$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt');
+
+$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+
+echo "NULL-Byte before first placeholder:\n";
+$s = $db->prepare("SELECT \"a\0b\", ?");
+$s->bindValue(1,"c");
+$s->execute();
+$r = $s->fetch();
+echo "Length of item 0: ".strlen($r[0]).", Value of item 1: ".$r[1]."\n";
+
+echo "\nOpen comment:\n";
+try {
+    $s = $db->prepare("SELECT /*");
+    $s->execute();
+} catch (Exception $e) {
+    echo "Error code: ".$e->getCode()."\n";
+}
+
+echo "\ndone!\n";
+?>
+--EXPECTF--
+NULL-Byte before first placeholder:
+Length of item 0: 3, Value of item 1: c
+
+Open comment:
+Error code: 42000
+
+done!