MFH: Fixed several buffer overflows.

author Ilia Alshanetsky <iliaa@php.net>

Thu, 23 Dec 2004 19:29:36 +0000 (19:29 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Thu, 23 Dec 2004 19:29:36 +0000 (19:29 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Thu, 23 Dec 2004 19:29:36 +0000 (19:29 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Thu, 23 Dec 2004 19:29:36 +0000 (19:29 +0000)
diff --git a/ext/fbsql/php_fbsql.c b/ext/fbsql/php_fbsql.c

index 415fe94bfd17ee85cb04f4f3ac2d8d1f4593189e..f7b765be3e8a6909aee967674b5490a057ae5efd 100644 (file)
--- a/ext/fbsql/php_fbsql.c
+++ b/ext/fbsql/php_fbsql.c
@@ -459,11 +459,11 @@ PHP_MINFO_FUNCTION(fbsql)
  
         if (FB_SQL_G(allowPersistent))
         {
-               sprintf(buf, "%ld", FB_SQL_G(persistentCount));
+               snprintf(buf, sizeof(buf), "%ld", FB_SQL_G(persistentCount));
                 php_info_print_table_row(2, "Active Persistent Links", buf);
         }
  
-       sprintf(buf, "%ld", FB_SQL_G(linkCount));
+       snprintf(buf, sizeof(buf), "%ld", FB_SQL_G(linkCount));
         php_info_print_table_row(2, "Active Links", buf);
  
  /*
@@ -507,7 +507,9 @@ static void php_fbsql_do_connect(INTERNAL_FUNCTION_PARAMETERS, int persistent)
         if (userName     == NULL) userName     = FB_SQL_G(userName);
         if (userPassword == NULL) userPassword = FB_SQL_G(userPassword);
  
-       sprintf(name, "fbsql_%s_%s_%s", hostName, userName, userPassword);
+       if (snprintf(name, sizeof(name), "fbsql_%s_%s_%s", hostName, userName, userPassword) < 0) {
+               RETURN_FALSE;
+       }
  
         if (!FB_SQL_G(allowPersistent)) {
                 persistent=0;
@@ -818,9 +820,21 @@ PHP_FUNCTION(fbsql_set_transaction)
                         WRONG_PARAM_COUNT;
                         break;
         }
+
+       if (Z_LVAL_PP(Locking) < 0 || Z_LVAL_PP(Locking) > 2) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid locking type.");
+               RETURN_FALSE;
+       }
+       if (Z_LVAL_PP(strIsolation) < 0 || Z_LVAL_PP(Isolation) > 4) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid isolation type.");
+               RETURN_FALSE;
+       }
+
         ZEND_FETCH_RESOURCE2(phpLink, PHPFBLink *, fbsql_link_index, -1, "FrontBase-Link", le_link, le_plink);
  
-       sprintf(strSQL, "SET TRANSACTION LOCKING %s, ISOLATION %s;", strLocking[Z_LVAL_PP(Locking)], strIsolation[Z_LVAL_PP(Isolation)]);
+       if (snprintf(strSQL, sizeof(strSQL) , "SET TRANSACTION LOCKING %s, ISOLATION %s;", strLocking[Z_LVAL_PP(Locking)], strIsolation[Z_LVAL_PP(Isolation)]) < 0) {
+               RETURN_FALSE;
+       }
  
         md = fbcdcExecuteDirectSQL(phpLink->connection, strSQL);
         fbcmdRelease(md);
@@ -1417,7 +1431,9 @@ PHP_FUNCTION(fbsql_change_user)
         convert_to_string_ex(password);
         userPassword = Z_STRVAL_PP(password);
  
-       sprintf(buffer, "SET AUTHORIZATION %s;", userName);
+       if (snprintf(buffer, sizeof(buffer), "SET AUTHORIZATION %s;", userName) < 0) {
+               RETURN_FALSE;
+       }
  
         phpfbQuery(INTERNAL_FUNCTION_PARAM_PASSTHRU, buffer, phpLink);
         if (Z_LVAL_P(return_value))
@@ -2084,7 +2100,9 @@ PHP_FUNCTION(fbsql_list_fields)
                 RETURN_FALSE;
         }
  
-       sprintf(sql, "SELECT * FROM %s WHERE 1=0;", tableName);
+       if (snprintf(sql, sizeof(sql), "SELECT * FROM %s WHERE 1=0;", tableName) < 0) {
+               RETURN_FALSE;
+       }
  
         phpfbQuery(INTERNAL_FUNCTION_PARAM_PASSTHRU, sql, phpLink);
  }
@@ -2268,7 +2286,7 @@ void phpfbColumnAsString(PHPFBResult* result, int column, void* data , int* leng
                 { 
                         int v = *((int*)data);
                         char b[128];
-                       sprintf(b, "%d", v);
+                       snprintf(b, sizeof(b), "%d", v);
                         phpfbestrdup(b, length, value);
                 }
                 break;
@@ -2277,7 +2295,7 @@ void phpfbColumnAsString(PHPFBResult* result, int column, void* data , int* leng
                 { 
                         short int v = *((FBTinyInteger*)data);
                         char b[128];
-                       sprintf(b, "%d", v);
+                       snprintf(b, sizeof(b), "%d", v);
                         phpfbestrdup(b, length, value);
                 }
                 break;
@@ -2288,9 +2306,9 @@ void phpfbColumnAsString(PHPFBResult* result, int column, void* data , int* leng
                         FBLongInteger v = *((FBLongInteger*)data);
                         char b[128];
  #ifdef PHP_WIN32
-                       sprintf(b, "%I64i", v);
+                       snprintf(b, sizeof(b), "%I64i", v);
  #else
-                       sprintf(b, "%ll", v);
+                       snprintf(b, sizeof(b), "%ll", v);
  #endif
                         phpfbestrdup(b, length, value);
                 }
@@ -2300,7 +2318,7 @@ void phpfbColumnAsString(PHPFBResult* result, int column, void* data , int* leng
                 {
                         short v = *((short*)data);
                         char b[128];
-                       sprintf(b, "%d", v);
+                       snprintf(b, sizeof(b), "%d", v);
                         phpfbestrdup(b, length, value);
                 }
                 break; 
@@ -2313,7 +2331,7 @@ void phpfbColumnAsString(PHPFBResult* result, int column, void* data , int* leng
                 {
                         double v = *((double*)data);
                         char b[128];
-                       sprintf(b, "%f", v);
+                       snprintf(b, sizeof(b), "%f", v);
                         phpfbestrdup(b, length, value);
                 }
                 break;
@@ -2346,7 +2364,7 @@ void phpfbColumnAsString(PHPFBResult* result, int column, void* data , int* leng
                                 *length = l*2+3+1;
                                 if (value)
                                 {
-                                       char* r = emalloc(l*2+3+1);
+                                       char* r = safe_emalloc(l, 2, 4);
                                         r[0] = 'X';
                                         r[1] = '\'';
                                         for (i = 0; i < nBits / 8; i++)
@@ -2368,7 +2386,7 @@ void phpfbColumnAsString(PHPFBResult* result, int column, void* data , int* leng
                                 *length = l*2+3+1;
                                 if (value)
                                 {
-                                       char* r = emalloc(l*2+3+1);
+                                       char* r = safe_emalloc(l, 2, 4);
                                         r[0] = 'B';
                                         r[1] = '\'';
                                         for (i = 0; i < nBits; i++)
@@ -2400,7 +2418,7 @@ void phpfbColumnAsString(PHPFBResult* result, int column, void* data , int* leng
                 {
                         char b[128];
                         int v = *((unsigned int*)data);
-                       sprintf(b, "%d", v);
+                       snprintf(b, sizeof(b), "%d", v);
                         phpfbestrdup(b, length, value);
                 }
                 break;
@@ -2409,7 +2427,7 @@ void phpfbColumnAsString(PHPFBResult* result, int column, void* data , int* leng
                 {
                         char b[128];
                         double seconds = *((double*)data);
-                       sprintf(b, "%f", seconds);
+                       snprintf(b, sizeof(b), "%f", seconds);
                         phpfbestrdup(b, length, value);
                 }
                 break;
author	Ilia Alshanetsky <iliaa@php.net>
	Thu, 23 Dec 2004 19:29:36 +0000 (19:29 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Thu, 23 Dec 2004 19:29:36 +0000 (19:29 +0000)