Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz...

diff --git a/NEWS b/NEWS
index dbe72b7df6992762fbd99c893b43bb6e1a0fb4e1..1fc1f95390a4619eb13ab6d827360db37e4652cc 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,8 @@ PHP                                                                        NEWS
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
 - Fixed handling of session variable serialization on certain prefix
   characters. Reported by Stefan Esser (Ilia)
+- Fixed a possible arbitrary memory access inside sqlite extension. Reported
+  by Mateusz Kocielski. (Ilia)  
 
 - Fixed bug #51671 (imagefill does not work correctly for small images).
   (Pierre)

diff --git a/ext/sqlite/sqlite.c b/ext/sqlite/sqlite.c
index adb2d2ba1aad8c5e9457636a941ea3ece0b1b97a..6e27a4a33616e552d1a36e2456031ac2aacc2984 100644 (file)
--- a/ext/sqlite/sqlite.c
+++ b/ext/sqlite/sqlite.c
@@ -2170,7 +2170,7 @@ PHP_FUNCTION(sqlite_array_query)
                return;
        }
 
-       rres = (struct php_sqlite_result *)emalloc(sizeof(*rres));
+       rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres));
        sqlite_query(NULL, db, sql, sql_len, (int)mode, 0, NULL, &rres, NULL TSRMLS_CC);
        if (db->last_err_code != SQLITE_OK) {
                if (rres) {
@@ -2286,7 +2286,7 @@ PHP_FUNCTION(sqlite_single_query)
                return;
        }
 
-       rres = (struct php_sqlite_result *)emalloc(sizeof(*rres));
+       rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres));
        sqlite_query(NULL, db, sql, sql_len, PHPSQLITE_NUM, 0, NULL, &rres, NULL TSRMLS_CC);
        if (db->last_err_code != SQLITE_OK) {
                if (rres) {