Fixed possible crash inside sqlite_escape_string() and

sqlite_udf_encode_binary().

diff --git a/ext/sqlite/sqlite.c b/ext/sqlite/sqlite.c
index d923045125d5d8274e31fa7838085f5f2f8fae99..a16603b57844219320c4eabbe61e2938ba301af2 100644 (file)
--- a/ext/sqlite/sqlite.c
+++ b/ext/sqlite/sqlite.c
@@ -2604,7 +2604,7 @@ PHP_FUNCTION(sqlite_escape_string)
                /* binary string */
                int enclen;
                
-               ret = emalloc( 1 + ((256 * stringlen + 1262) / 253) );
+               ret = emalloc( 1 + 5 + stringlen * (256 / 253) );
                ret[0] = '\x01';
                enclen = php_sqlite_encode_binary(string, stringlen, ret+1);
                RETVAL_STRINGL(ret, enclen+1, 0);
@@ -2834,7 +2834,7 @@ PHP_FUNCTION(sqlite_udf_encode_binary)
                int enclen;
                char *ret;
                
-               ret = emalloc( 1 + ((256 * datalen + 1262) / 253) );
+               ret = emalloc( 1 + 5 + datalen * (256 / 253) );
                ret[0] = '\x01';
                enclen = php_sqlite_encode_binary(data, datalen, ret+1);
                RETVAL_STRINGL(ret, enclen+1, 0);

diff --git a/ext/sqlite/tests/sqlite_027.phpt b/ext/sqlite/tests/sqlite_027.phpt
new file mode 100755 (executable)
index 0000000..52c17b3
--- /dev/null
+++ b/ext/sqlite/tests/sqlite_027.phpt
@@ -0,0 +1,13 @@
+--TEST--
+sqlite: crash inside sqlite_escape_string() & sqlite_udf_encode_binary
+--SKIPIF--
+<?php # vim:ft=php
+if (!extension_loaded("sqlite")) print "skip"; ?>
+--FILE--
+<?php
+       var_dump(strlen(sqlite_escape_string(str_repeat("\0", 20000000))));
+       var_dump(strlen(sqlite_udf_encode_binary(str_repeat("\0", 20000000))));
+?>
+--EXPECT--
+int(20000002)
+int(20000002)