From e93c35b8b37b6a633b9026a025b89fe3f88b1fff Mon Sep 17 00:00:00 2001 From: Saki Takamachi Date: Thu, 18 Apr 2024 00:56:31 +0900 Subject: [PATCH 1/5] Buffer size is now checked before memcmp --- ext/pdo_sqlite/sqlite_driver.c | 2 +- ext/pdo_sqlite/tests/gh13991.phpt | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 ext/pdo_sqlite/tests/gh13991.phpt diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c index de5170a35a96b..2f34eafdf118f 100644 --- a/ext/pdo_sqlite/sqlite_driver.c +++ b/ext/pdo_sqlite/sqlite_driver.c @@ -751,7 +751,7 @@ static char *make_filename_safe(const char *filename) } return estrdup(filename); } - if (*filename && memcmp(filename, ":memory:", sizeof(":memory:"))) { + if (*filename && (sizeof(filename) != sizeof(":memory:") || memcmp(filename, ":memory:", sizeof(":memory:")) != 0)) { char *fullpath = expand_filepath(filename, NULL); if (!fullpath) { diff --git a/ext/pdo_sqlite/tests/gh13991.phpt b/ext/pdo_sqlite/tests/gh13991.phpt new file mode 100644 index 0000000000000..f9b77a66fe867 --- /dev/null +++ b/ext/pdo_sqlite/tests/gh13991.phpt @@ -0,0 +1,16 @@ +--TEST-- +Fix GH-13984: Buffer size is now checked before memcmp +--EXTENSIONS-- +pdo_sqlite +--FILE-- + true]); +echo 'done!'; +?> +--CLEAN-- + +--EXPECT-- +done! From 28a51dc6f12ed4254af3dd902e617a525307a858 Mon Sep 17 00:00:00 2001 From: Saki Takamachi Date: Thu, 18 Apr 2024 01:28:41 +0900 Subject: [PATCH 2/5] address comments --- ext/pdo_sqlite/sqlite_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c index 2f34eafdf118f..f40f71d67fb31 100644 --- a/ext/pdo_sqlite/sqlite_driver.c +++ b/ext/pdo_sqlite/sqlite_driver.c @@ -751,7 +751,7 @@ static char *make_filename_safe(const char *filename) } return estrdup(filename); } - if (*filename && (sizeof(filename) != sizeof(":memory:") || memcmp(filename, ":memory:", sizeof(":memory:")) != 0)) { + if (*filename && zend_binary_strcmp(filename, strlen(filename)-1, ":memory:", strlen(":memory:")-1)) { char *fullpath = expand_filepath(filename, NULL); if (!fullpath) { From 15e34dd3baeecc35d47922db2c8cd346a2b2ba9e Mon Sep 17 00:00:00 2001 From: Saki Takamachi Date: Thu, 18 Apr 2024 01:42:08 +0900 Subject: [PATCH 3/5] fixed test --- ext/pdo_sqlite/tests/gh13991.phpt | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ext/pdo_sqlite/tests/gh13991.phpt b/ext/pdo_sqlite/tests/gh13991.phpt index f9b77a66fe867..fa847f8ba5b42 100644 --- a/ext/pdo_sqlite/tests/gh13991.phpt +++ b/ext/pdo_sqlite/tests/gh13991.phpt @@ -2,15 +2,17 @@ Fix GH-13984: Buffer size is now checked before memcmp --EXTENSIONS-- pdo_sqlite +--SKIPIF-- + --FILE-- true]); echo 'done!'; ?> --CLEAN-- --EXPECT-- done! From d248a608fe437f0822068788953010bae4e59be5 Mon Sep 17 00:00:00 2001 From: Saki Takamachi Date: Thu, 18 Apr 2024 01:45:35 +0900 Subject: [PATCH 4/5] remove `-1` --- ext/pdo_sqlite/sqlite_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c index f40f71d67fb31..c357d994d0576 100644 --- a/ext/pdo_sqlite/sqlite_driver.c +++ b/ext/pdo_sqlite/sqlite_driver.c @@ -751,7 +751,7 @@ static char *make_filename_safe(const char *filename) } return estrdup(filename); } - if (*filename && zend_binary_strcmp(filename, strlen(filename)-1, ":memory:", strlen(":memory:")-1)) { + if (*filename && zend_binary_strcmp(filename, strlen(filename), ":memory:", strlen(":memory:"))) { char *fullpath = expand_filepath(filename, NULL); if (!fullpath) { From 5b64ffe6784ecae27f44da09d6c0dbddf5dbb074 Mon Sep 17 00:00:00 2001 From: Saki Takamachi <34942839+SakiTakamachi@users.noreply.github.com> Date: Thu, 18 Apr 2024 02:20:17 +0900 Subject: [PATCH 5/5] use strcmp --- ext/pdo_sqlite/sqlite_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/pdo_sqlite/sqlite_driver.c b/ext/pdo_sqlite/sqlite_driver.c index c357d994d0576..2f494c2ddb8b3 100644 --- a/ext/pdo_sqlite/sqlite_driver.c +++ b/ext/pdo_sqlite/sqlite_driver.c @@ -751,7 +751,7 @@ static char *make_filename_safe(const char *filename) } return estrdup(filename); } - if (*filename && zend_binary_strcmp(filename, strlen(filename), ":memory:", strlen(":memory:"))) { + if (*filename && strcmp(filename, ":memory:")) { char *fullpath = expand_filepath(filename, NULL); if (!fullpath) {