Fix bug #61755 parsing bug can lead to access violations

diff --git a/NEWS b/NEWS
index 0cabd9748daa27cb0f1dd6a318e9bfdcfb1e91d2..5fe7245b195993e7aa268844a7db1741c55f9723 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,7 +6,10 @@ PHP                                                                        NEWS
   . Fixed bug #61537 (json_encode() incorrectly truncates/discards
     information). (Adam)
 
-?? ??? 2012, PHP 5.3.11
+- PDO:
+  . Fixed bug #61755 (A parsing bug in the prepared statements can lead to
+    access violations). (Johannes)
+
 - Iconv extension:
   . Fixed a bug that iconv extension fails to link to the correct library
     when another extension makes use of a library that links to the iconv

diff --git a/ext/pdo/pdo_sql_parser.re b/ext/pdo/pdo_sql_parser.re
index 8becef9b63554e7f211d7eb6bb0c7bc4bb5fad45..88f94001f91f41fad9ddb8ca49f9fa85cb8de8db 100644 (file)
--- a/ext/pdo/pdo_sql_parser.re
+++ b/ext/pdo/pdo_sql_parser.re
@@ -32,12 +32,12 @@
 
 #define YYCTYPE         unsigned char
 #define YYCURSOR        cursor
-#define YYLIMIT         cursor
+#define YYLIMIT         s->end
 #define YYMARKER        s->ptr
-#define YYFILL(n)
+#define YYFILL(n)              { RET(PDO_PARSER_EOI); }
 
 typedef struct Scanner {
-       char    *ptr, *cur, *tok;
+       char    *ptr, *cur, *tok, *end;
 } Scanner;
 
 static int scan(Scanner *s) 
@@ -51,7 +51,6 @@ static int scan(Scanner *s)
        COMMENTS        = ("/*"([^*]+|[*]+[^/*])*[*]*"*/"|"--"[^\r\n]*);
        SPECIALS        = [:?"'];
        MULTICHAR       = [:?];
-       EOF                     = [\000];
        ANYNOEOF        = [\001-\377];
        */
 
@@ -64,7 +63,6 @@ static int scan(Scanner *s)
                SPECIALS                                                                { SKIP_ONE(PDO_PARSER_TEXT); }
                COMMENTS                                                                { RET(PDO_PARSER_TEXT); }
                (ANYNOEOF\SPECIALS)+                                    { RET(PDO_PARSER_TEXT); }
-               EOF                                                                             { RET(PDO_PARSER_EOI); }
        */      
 }
 
@@ -94,6 +92,7 @@ PDO_API int pdo_parse_params(pdo_stmt_t *stmt, char *inquery, int inquery_len,
 
        ptr = *outquery;
        s.cur = inquery;
+       s.end = inquery + inquery_len + 1;
 
        /* phase 1: look for args */
        while((t = scan(&s)) != PDO_PARSER_EOI) {

diff --git a/ext/pdo_mysql/tests/bug_61755.phpt b/ext/pdo_mysql/tests/bug_61755.phpt
new file mode 100644 (file)
index 0000000..1d2b968
--- /dev/null
+++ b/ext/pdo_mysql/tests/bug_61755.phpt
@@ -0,0 +1,41 @@
+--TEST--
+Bug #61755 (A parsing bug in the prepared statements can lead to access violations)
+--SKIPIF--
+<?php
+if (!extension_loaded('pdo') || !extension_loaded('pdo_mysql')) die('skip not loaded');
+require dirname(__FILE__) . '/config.inc';
+require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
+$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt');
+
+$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+
+echo "NULL-Byte before first placeholder:\n";
+$s = $db->prepare("SELECT \"a\0b\", ?");
+$s->bindValue(1,"c");
+$s->execute();
+$r = $s->fetch();
+echo "Length of item 0: ".strlen($r[0]).", Value of item 1: ".$r[1]."\n";
+
+echo "\nOpen comment:\n";
+try {
+    $s = $db->prepare("SELECT /*");
+    $s->execute();
+} catch (Exception $e) {
+    echo "Error code: ".$e->getCode()."\n";
+}
+
+echo "\ndone!\n";
+?>
+--EXPECTF--
+NULL-Byte before first placeholder:
+Length of item 0: 3, Value of item 1: c
+
+Open comment:
+Error code: 42000
+
+done!