From 25cb6f001f3070062c2ffbb955a58bb3052bbf16 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 11 Apr 2015 16:56:12 -0700
Subject: [PATCH] Merge branch 'PHP-5.4.40' into PHP-5.5.24

* PHP-5.4.40:
  Additional fix for bug #69324
  More fixes for bug #69152
  Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions)
  Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar)
  Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER)
  Fix bug #68486 and bug #69218 (segfault in apache2handler with apache 2.4)
  Fix bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault)
  Fixed bug #68901 (use after free)
  Fixed bug #68740 (NULL Pointer Dereference)
  Fix bug #66550 (SQLite prepared statement use-after-free)
  Better fix for #68601 for perf https://bitbucket.org/libgd/gd-libgd/commits/81e9a993f2893d651d225646378e3fd1b7465467
  Fix bug #68601 buffer read overflow in gd_gif_in.c
  Revert "Merge branch 'PHP-5.4' of https://git.php.net/repository/php-src into PHP-5.4"
  Fixed bug #69293
  Add ZEND_ARG_CALLABLE_INFO to allow internal function to type hint against callable.
---
 ext/ereg/regex/regcomp.c        |  4 ++++
 ext/sqlite3/sqlite3.c           | 16 ++++++++++++++++
 ext/sqlite3/tests/bug66550.phpt | 23 +++++++++++++++++++++++
 3 files changed, 43 insertions(+)
 create mode 100644 ext/sqlite3/tests/bug66550.phpt

diff --git a/ext/ereg/regex/regcomp.c b/ext/ereg/regex/regcomp.c
index f4bfc1c167..c2223d7dbe 100644
--- a/ext/ereg/regex/regcomp.c
+++ b/ext/ereg/regex/regcomp.c
@@ -1284,6 +1284,10 @@ int c;
 	register int ncols = (g->ncsets+(CHAR_BIT-1)) / CHAR_BIT;
 	register unsigned uc = (unsigned char)c;
 
+	if (!g->setbits) {
+		return(0);
+	}
+
 	for (i = 0, col = g->setbits; i < ncols; i++, col += g->csetsize)
 		if (col[uc] != 0)
 			return(1);
diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
index 8178d4f3b2..ce3af65fcb 100644
--- a/ext/sqlite3/sqlite3.c
+++ b/ext/sqlite3/sqlite3.c
@@ -1279,6 +1279,8 @@ PHP_METHOD(sqlite3stmt, paramCount)
 	php_sqlite3_stmt *stmt_obj;
 	zval *object = getThis();
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
@@ -1295,6 +1297,8 @@ PHP_METHOD(sqlite3stmt, close)
 	php_sqlite3_stmt *stmt_obj;
 	zval *object = getThis();
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
@@ -1313,6 +1317,8 @@ PHP_METHOD(sqlite3stmt, reset)
 	php_sqlite3_stmt *stmt_obj;
 	zval *object = getThis();
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
@@ -1333,6 +1339,8 @@ PHP_METHOD(sqlite3stmt, clear)
 	php_sqlite3_stmt *stmt_obj;
 	zval *object = getThis();
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
@@ -1354,6 +1362,8 @@ PHP_METHOD(sqlite3stmt, readOnly)
 	php_sqlite3_stmt *stmt_obj;
 	zval *object = getThis();
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
@@ -1421,6 +1431,8 @@ PHP_METHOD(sqlite3stmt, bindParam)
 	zval *object = getThis();
 	struct php_sqlite3_bound_param param = {0};
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	param.param_number = -1;
 	param.type = SQLITE3_TEXT;
@@ -1452,6 +1464,8 @@ PHP_METHOD(sqlite3stmt, bindValue)
 	zval *object = getThis();
 	struct php_sqlite3_bound_param param = {0};
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	param.param_number = -1;
 	param.type = SQLITE3_TEXT;
@@ -1487,6 +1501,8 @@ PHP_METHOD(sqlite3stmt, execute)
 
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
 
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
diff --git a/ext/sqlite3/tests/bug66550.phpt b/ext/sqlite3/tests/bug66550.phpt
new file mode 100644
index 0000000000..a44515b0d9
--- /dev/null
+++ b/ext/sqlite3/tests/bug66550.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #66550 (SQLite prepared statement use-after-free)
+--SKIPIF--
+<?php
+if (!extension_loaded('sqlite3')) die('skip');
+?>
+--FILE--
+<?php
+
+$db = new SQLite3(':memory:');
+
+$db->exec('CREATE TABLE foo (id INTEGER, bar STRING)');
+
+$stmt = $db->prepare('SELECT bar FROM foo WHERE id=:id');
+// Close the database connection and free the internal sqlite3_stmt object
+$db->close();
+// Access the sqlite3_stmt object via the php_sqlite3_stmt container
+$stmt->reset();
+?>
+==DONE==
+--EXPECTF--
+Warning: SQLite3Stmt::reset(): The SQLite3 object has not been correctly initialised in %s
+==DONE==
-- 
2.49.0