Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz...

diff --git a/NEWS b/NEWS
index 95b30a4a6db982242febc5fe3beeb63fed18791a..e260a4722c45ee383e82bd0dec380493737565d8 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,8 @@ PHP                                                                        NEWS
 - Fixed very rare memory leak in mysqlnd, when binding thousands of columns.
   (Andrey)
 
+- Fixed a possible arbitrary memory access inside sqlite extension. Reported 
+  by Mateusz Kocielski. (Ilia)
 - Fixed string format validation inside phar extension. Reported by Stefan
   Esser (Ilia)
 - Fixed handling of session variable serialization on certain prefix

diff --git a/ext/sqlite/sqlite.c b/ext/sqlite/sqlite.c
index 4017dc7fbca942f1c93ea9694f6304f56315e133..5fc562eeab01ada4a3fe963eadb0a824b8b302b6 100644 (file)
--- a/ext/sqlite/sqlite.c
+++ b/ext/sqlite/sqlite.c
@@ -2508,7 +2508,7 @@ PHP_FUNCTION(sqlite_array_query)
                return;
        }
 
-       rres = (struct php_sqlite_result *)emalloc(sizeof(*rres));
+       rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres));
        sqlite_query(NULL, db, sql, sql_len, (int)mode, 0, NULL, &rres, NULL TSRMLS_CC);
        if (db->last_err_code != SQLITE_OK) {
                if (rres) {
@@ -2624,7 +2624,7 @@ PHP_FUNCTION(sqlite_single_query)
                return;
        }
 
-       rres = (struct php_sqlite_result *)emalloc(sizeof(*rres));
+       rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres));
        sqlite_query(NULL, db, sql, sql_len, PHPSQLITE_NUM, 0, NULL, &rres, NULL TSRMLS_CC);
        if (db->last_err_code != SQLITE_OK) {
                if (rres) {