From 5031bfc395bd9cc5a29389d5fe458c3452643b76 Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Wed, 28 Apr 2010 12:10:10 +0000 Subject: [PATCH] Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz Kocielski. --- NEWS | 2 ++ ext/sqlite/sqlite.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 95b30a4a6d..e260a4722c 100644 --- a/NEWS +++ b/NEWS @@ -21,6 +21,8 @@ PHP NEWS - Fixed very rare memory leak in mysqlnd, when binding thousands of columns. (Andrey) +- Fixed a possible arbitrary memory access inside sqlite extension. Reported + by Mateusz Kocielski. (Ilia) - Fixed string format validation inside phar extension. Reported by Stefan Esser (Ilia) - Fixed handling of session variable serialization on certain prefix diff --git a/ext/sqlite/sqlite.c b/ext/sqlite/sqlite.c index 4017dc7fbc..5fc562eeab 100644 --- a/ext/sqlite/sqlite.c +++ b/ext/sqlite/sqlite.c @@ -2508,7 +2508,7 @@ PHP_FUNCTION(sqlite_array_query) return; } - rres = (struct php_sqlite_result *)emalloc(sizeof(*rres)); + rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres)); sqlite_query(NULL, db, sql, sql_len, (int)mode, 0, NULL, &rres, NULL TSRMLS_CC); if (db->last_err_code != SQLITE_OK) { if (rres) { @@ -2624,7 +2624,7 @@ PHP_FUNCTION(sqlite_single_query) return; } - rres = (struct php_sqlite_result *)emalloc(sizeof(*rres)); + rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres)); sqlite_query(NULL, db, sql, sql_len, PHPSQLITE_NUM, 0, NULL, &rres, NULL TSRMLS_CC); if (db->last_err_code != SQLITE_OK) { if (rres) { -- 2.40.0