From 502d68e1e7d28ec35ae2bb8aea9d31db32da82bd Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Sat, 5 May 2007 15:36:15 +0000
Subject: [PATCH] Fixed bug #41285 (Improved fix for CVE-2007-1887 to work with
 non-bundled sqlite2 lib).

---
 NEWS                     |  2 ++
 ext/sqlite/sess_sqlite.c | 10 +++++++---
 ext/sqlite/sqlite.c      |  2 +-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 872ad724b8..7408ef9c0b 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
 - Fixed altering $this via argument named "this". (Dmitry)
 - Fixed bug #41287 (Namespace functions don't allow xmlns defintion to be 
   optional). (Rob)
+- Fixed bug #41285 (Improved fix for CVE-2007-1887 to work with non-bundled
+  sqlite2 lib). (Ilia)
 - Fixed bug #41283 (Bug with serializing array key that are doubles or
   floats). (Ilia)
 - Fixed bug #41257: (lookupNamespaceURI does not work as expected). (Rob)
diff --git a/ext/sqlite/sess_sqlite.c b/ext/sqlite/sess_sqlite.c
index 785704faf7..c893baad98 100644
--- a/ext/sqlite/sess_sqlite.c
+++ b/ext/sqlite/sess_sqlite.c
@@ -110,9 +110,13 @@ PS_READ_FUNC(sqlite)
 		case SQLITE_ROW:
 			if (rowdata[0] != NULL) {
 				*vallen = strlen(rowdata[0]);
-				*val = emalloc(*vallen);
-				*vallen = sqlite_decode_binary(rowdata[0], *val);
-				(*val)[*vallen] = '\0';
+				if (*vallen) {
+					*val = emalloc(*vallen);
+					*vallen = sqlite_decode_binary(rowdata[0], *val);
+					(*val)[*vallen] = '\0';
+				} else {
+					*val = STR_EMPTY_ALLOC();
+				}
 			}
 			break;
 		default:
diff --git a/ext/sqlite/sqlite.c b/ext/sqlite/sqlite.c
index 27922020b1..93d62cfa93 100644
--- a/ext/sqlite/sqlite.c
+++ b/ext/sqlite/sqlite.c
@@ -73,7 +73,7 @@ extern int sqlite_encode_binary(const unsigned char *in, int n, unsigned char *o
 extern int sqlite_decode_binary(const unsigned char *in, unsigned char *out);
 
 #define php_sqlite_encode_binary(in, n, out) sqlite_encode_binary((const unsigned char *)in, n, (unsigned char *)out)
-#define php_sqlite_decode_binary(in, out)    sqlite_decode_binary((const unsigned char *)in, (unsigned char *)out)
+#define php_sqlite_decode_binary(in, out) in && *in ? sqlite_decode_binary((const unsigned char *)in, (unsigned char *)out) : 0
 
 static int sqlite_count_elements(zval *object, long *count TSRMLS_DC);
 
-- 
2.50.1