From: Ilia Alshanetsky <iliaa@php.net>
Date: Fri, 27 Feb 2004 00:29:10 +0000 (+0000)
Subject: Fixed possible crash inside sqlite_escape_string() and
X-Git-Tag: RELEASE_0_2_0~140
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c856e821d0609a6b1f7e97f721ac1473887b11da;p=php

Fixed possible crash inside sqlite_escape_string() and
sqlite_udf_encode_binary().
---

diff --git a/ext/sqlite/sqlite.c b/ext/sqlite/sqlite.c
index d923045125..a16603b578 100644
--- a/ext/sqlite/sqlite.c
+++ b/ext/sqlite/sqlite.c
@@ -2604,7 +2604,7 @@ PHP_FUNCTION(sqlite_escape_string)
 		/* binary string */
 		int enclen;
 		
-		ret = emalloc( 1 + ((256 * stringlen + 1262) / 253) );
+		ret = emalloc( 1 + 5 + stringlen * (256 / 253) );
 		ret[0] = '\x01';
 		enclen = php_sqlite_encode_binary(string, stringlen, ret+1);
 		RETVAL_STRINGL(ret, enclen+1, 0);
@@ -2834,7 +2834,7 @@ PHP_FUNCTION(sqlite_udf_encode_binary)
 		int enclen;
 		char *ret;
 		
-		ret = emalloc( 1 + ((256 * datalen + 1262) / 253) );
+		ret = emalloc( 1 + 5 + datalen * (256 / 253) );
 		ret[0] = '\x01';
 		enclen = php_sqlite_encode_binary(data, datalen, ret+1);
 		RETVAL_STRINGL(ret, enclen+1, 0);
diff --git a/ext/sqlite/tests/sqlite_027.phpt b/ext/sqlite/tests/sqlite_027.phpt
new file mode 100755
index 0000000000..52c17b309b
--- /dev/null
+++ b/ext/sqlite/tests/sqlite_027.phpt
@@ -0,0 +1,13 @@
+--TEST--
+sqlite: crash inside sqlite_escape_string() & sqlite_udf_encode_binary
+--SKIPIF--
+<?php # vim:ft=php
+if (!extension_loaded("sqlite")) print "skip"; ?>
+--FILE--
+<?php
+	var_dump(strlen(sqlite_escape_string(str_repeat("\0", 20000000))));
+	var_dump(strlen(sqlite_udf_encode_binary(str_repeat("\0", 20000000))));
+?>
+--EXPECT--
+int(20000002)
+int(20000002)