From: Xinchen Hui <laruence@gmail.com>
Date: Wed, 11 May 2016 03:12:27 +0000 (+0800)
Subject: Fixed bug #71573 (Segfault (core dumped) if paramno beyond bound)
X-Git-Tag: php-7.0.8RC1~73
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=66ad4fc393d687f4ca255dd3788529856942bbaa;p=php

Fixed bug #71573 (Segfault (core dumped) if paramno beyond bound)
---

diff --git a/NEWS b/NEWS
index 16b39b51b7..245ae996db 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2016 PHP 7.0.8
 
+- PDO_pgsql:
+  . Fixed bug #71573 (Segfault (core dumped) if paramno beyond bound).
+    (Laruence)
+
 
 26 May 2016 PHP 7.0.7
 
diff --git a/ext/pdo_pgsql/pgsql_statement.c b/ext/pdo_pgsql/pgsql_statement.c
index a6a69ac3d0..fb6249aa14 100644
--- a/ext/pdo_pgsql/pgsql_statement.c
+++ b/ext/pdo_pgsql/pgsql_statement.c
@@ -288,6 +288,10 @@ static int pgsql_stmt_param_hook(pdo_stmt_t *stmt, struct pdo_bound_param_data *
 				break;
 
 			case PDO_PARAM_EVT_ALLOC:
+				if (!zend_hash_index_exists(stmt->bound_param_map, param->paramno)) {
+					pdo_raise_impl_error(stmt->dbh, stmt, "HY093", "parameter was not defined");
+					return 0;
+				}
 			case PDO_PARAM_EVT_EXEC_POST:
 			case PDO_PARAM_EVT_FETCH_PRE:
 			case PDO_PARAM_EVT_FETCH_POST:
@@ -315,10 +319,12 @@ static int pgsql_stmt_param_hook(pdo_stmt_t *stmt, struct pdo_bound_param_data *
 				if (param->paramno >= 0) {
 					zval *parameter;
 
+					/*
 					if (param->paramno >= zend_hash_num_elements(stmt->bound_params)) {
 						pdo_raise_impl_error(stmt->dbh, stmt, "HY093", "parameter was not defined");
 						return 0;
 					}
+					*/
 
 					if (Z_ISREF(param->parameter)) {
 						parameter = Z_REFVAL(param->parameter);
diff --git a/ext/pdo_pgsql/tests/bug71573.phpt b/ext/pdo_pgsql/tests/bug71573.phpt
new file mode 100644
index 0000000000..d3046bff6b
--- /dev/null
+++ b/ext/pdo_pgsql/tests/bug71573.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #71573 (Segfault (core dumped) if paramno beyond bound)
+--SKIPIF--
+<?php
+if (!extension_loaded('pdo') || !extension_loaded('pdo_pgsql')) die('skip not loaded');
+require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
+require_once dirname(__FILE__) . '/config.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
+require_once dirname(__FILE__) . '/config.inc';
+$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt');
+
+$statement = $db->prepare('select ?');
+$statement->execute([ 'test', 'test', 'test' ]);
+
+?>
+--EXPECTF--
+Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in %sbug71573.php on line %d