Fixed Bug #51577 (Uninitialized memory reference with oci_bind_array_by_name)

diff --git a/NEWS b/NEWS
index 9bb73c362192d8d27d370ce4e6f8d9063e25d366..8e03a5913455cfe63e40fa6d99e6595c5ecf91ec 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,7 @@ PHP                                                                        NEWS
 - Fixed a NULL pointer dereference when processing invalid XML-RPC
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
 
+- Fixed Bug #51577 (Uninitialized memory reference with oci_bind_array_by_name)
 - Fixed bug #51445 (var_dump() invalid/slow *RECURSION* detection). (Felipe)
 - Fixed bug #51394 (Error line reported incorrectly if error handler throws an 
   exception). (Stas)

diff --git a/ext/oci8/oci8_statement.c b/ext/oci8/oci8_statement.c
index fa5d91559210f4ea9556af2f09f9354c9d231fbb..f7fda511a75eaa056a822d46070b76ff18199ff5 100644 (file)
--- a/ext/oci8/oci8_statement.c
+++ b/ext/oci8/oci8_statement.c
@@ -809,8 +809,16 @@ void php_oci_statement_free(php_oci_statement *statement TSRMLS_DC)
 int php_oci_bind_pre_exec(void *data, void *result TSRMLS_DC)
 {
        php_oci_bind *bind = (php_oci_bind *) data;
+
        *(int *)result = 0;
 
+       if (Z_TYPE_P(bind->zval) == IS_ARRAY) {
+               /* These checks are currently valid for oci_bind_by_name, not
+                * oci_bind_array_by_name.  Also bind->type and
+                * bind->indicator are not used for oci_bind_array_by_name.
+                */
+               return 0;
+       }       
        switch (bind->type) {
                case SQLT_NTY:
                case SQLT_BFILEE:
@@ -850,9 +858,8 @@ int php_oci_bind_pre_exec(void *data, void *result TSRMLS_DC)
                        }
                        break;
        }
-       
-       /* reset all bind stuff to a normal state..-. */
 
+       /* reset all bind stuff to a normal state..-. */
        bind->indicator = 0;
 
        return 0;