From: Ilia Alshanetsky <iliaa@php.net>
Date: Wed, 28 Apr 2010 12:10:10 +0000 (+0000)
Subject: Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz... 
X-Git-Tag: php-5.3.3RC1~246
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5031bfc395bd9cc5a29389d5fe458c3452643b76;p=php

Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz Kocielski.
---

diff --git a/NEWS b/NEWS
index 95b30a4a6d..e260a4722c 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,8 @@ PHP                                                                        NEWS
 - Fixed very rare memory leak in mysqlnd, when binding thousands of columns.
   (Andrey)
 
+- Fixed a possible arbitrary memory access inside sqlite extension. Reported 
+  by Mateusz Kocielski. (Ilia)
 - Fixed string format validation inside phar extension. Reported by Stefan
   Esser (Ilia)
 - Fixed handling of session variable serialization on certain prefix
diff --git a/ext/sqlite/sqlite.c b/ext/sqlite/sqlite.c
index 4017dc7fbc..5fc562eeab 100644
--- a/ext/sqlite/sqlite.c
+++ b/ext/sqlite/sqlite.c
@@ -2508,7 +2508,7 @@ PHP_FUNCTION(sqlite_array_query)
 		return;
 	}
 
-	rres = (struct php_sqlite_result *)emalloc(sizeof(*rres));
+	rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres));
 	sqlite_query(NULL, db, sql, sql_len, (int)mode, 0, NULL, &rres, NULL TSRMLS_CC);
 	if (db->last_err_code != SQLITE_OK) {
 		if (rres) {
@@ -2624,7 +2624,7 @@ PHP_FUNCTION(sqlite_single_query)
 		return;
 	}
 
-	rres = (struct php_sqlite_result *)emalloc(sizeof(*rres));
+	rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres));
 	sqlite_query(NULL, db, sql, sql_len, PHPSQLITE_NUM, 0, NULL, &rres, NULL TSRMLS_CC);
 	if (db->last_err_code != SQLITE_OK) {
 		if (rres) {