. Fixed bug #69227 (Use after free in zval_scan caused by
spl_object_storage_get_gc). (adam dot scarr at 99designs dot com)
+- SQLITE:
+ . Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).
+ (Dan Ackroyd)
+
19 Mar 2015, PHP 5.6.7
- Core:
efree(zargs[1]);
efree(zargs);
- //retval ought to contain a ZVAL_LONG by now
- // (the result of a comparison, i.e. most likely -1, 0, or 1)
- //I suppose we could accept any scalar return type, though.
- if (Z_TYPE_P(retval) != IS_LONG){
+ if (!retval) {
+ //Exception was thrown by callback, default to 0 for compare
+ ret = 0;
+ } else if (Z_TYPE_P(retval) != IS_LONG) {
+ //retval ought to contain a ZVAL_LONG by now
+ // (the result of a comparison, i.e. most likely -1, 0, or 1)
+ //I suppose we could accept any scalar return type, though.
php_error_docref(NULL TSRMLS_CC, E_WARNING, "An error occurred while invoking the compare callback (invalid return type). Collation behaviour is undefined.");
- }else{
+ } else {
ret = Z_LVAL_P(retval);
}
- zval_ptr_dtor(&retval);
+ if (retval) {
+ zval_ptr_dtor(&retval);
+ }
return ret;
}
--- /dev/null
+--TEST--
+Bug #68760 (Callback throws exception behaviour. Segfault in 5.6)
+--FILE--
+<?php
+function oopsFunction($a, $b) {
+ echo "callback";
+ throw new \Exception("oops");
+}
+
+$db = new SQLite3(":memory:");
+$db->exec("CREATE TABLE test (col1 string)");
+$db->exec("INSERT INTO test VALUES ('a1')");
+$db->exec("INSERT INTO test VALUES ('a10')");
+$db->exec("INSERT INTO test VALUES ('a2')");
+
+try {
+ $db->createCollation('NATURAL_CMP', 'oopsFunction');
+ $naturalSort = $db->query("SELECT col1 FROM test ORDER BY col1 COLLATE NATURAL_CMP");
+ while ($row = $naturalSort->fetchArray()) {
+ echo $row['col1'], "\n";
+ }
+ $db->close();
+}
+catch(\Exception $e) {
+ echo "Exception: ".$e->getMessage();
+}
+?>
+--EXPECTF--
+callback
+Warning: SQLite3::query(): An error occurred while invoking the compare callback in %a/bug68760.php on line %i
+Exception: oops
+
projects / php / commitdiff