|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2012-10-08 07:36 UTC] [email protected]
Description: ------------ Already report on internals http://marc.info/?t=134262688600006&r=1&w=2 Discard state is 5 char long, so buffer must be 6. Trivial fix attached. (could apply in all branches) Patchesphp-5.3.3-pdo-overflow.patch (last revision 2012-10-08 07:37 UTC by [email protected])Pull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Jul 20 12:00:03 2025 UTC |
maybe the discard_buf should also be consistent with struct pdo_odbc_errinfo.last_err_msg which is "char last_err_msg[SQL_MAX_MESSAGE_LENGTH];" diff is: diff --git a/ext/pdo_odbc/odbc_driver.c b/ext/pdo_odbc/odbc_driver.c index 84a147b..2176051 100755 --- a/ext/pdo_odbc/odbc_driver.c +++ b/ext/pdo_odbc/odbc_driver.c @@ -114,8 +114,8 @@ void pdo_odbc_error(pdo_dbh_t *dbh, pdo_stmt_t *stmt, PDO_ODBC_HSTMT statement, * diagnostic records (which can be generated by PRINT statements * in the query, for instance). */ while (rc == SQL_SUCCESS || rc == SQL_SUCCESS_WITH_INFO) { - char discard_state[5]; - char discard_buf[1024]; + char discard_state[6]; + char discard_buf[SQL_MAX_MESSAGE_LENGTH]; SQLINTEGER code; rc = SQLGetDiagRec(htype, eh, recno++, discard_state, &code, discard_buf, sizeof(discard_buf)-1, &errmsgsize);@laruence, I agree, but is this case should rather be SQL_MAX_MESSAGE_LENGTH+1 as used in unixODBC source code. But this have no risk as this is (mostly) protected by the buffer_length arg. From extract_sql_error_rec function source code (unixODBC-2.3.1/DriverManager/SQLGetDiagRec.c) if ( sqlstate ) strcpy((char*) sqlstate, "00000" ); Here is the buffer overflow issue (no length protection).