From 5fa3f0b8496a68815da582831b6efbabd2fe31d6 Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Wed, 28 Apr 2010 12:10:10 +0000 Subject: [PATCH] Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz Kocielski. --- NEWS | 2 ++ ext/sqlite/sqlite.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index dbe72b7df6..1fc1f95390 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,8 @@ PHP NEWS requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) - Fixed handling of session variable serialization on certain prefix characters. Reported by Stefan Esser (Ilia) +- Fixed a possible arbitrary memory access inside sqlite extension. Reported + by Mateusz Kocielski. (Ilia) - Fixed bug #51671 (imagefill does not work correctly for small images). (Pierre) diff --git a/ext/sqlite/sqlite.c b/ext/sqlite/sqlite.c index adb2d2ba1a..6e27a4a336 100644 --- a/ext/sqlite/sqlite.c +++ b/ext/sqlite/sqlite.c @@ -2170,7 +2170,7 @@ PHP_FUNCTION(sqlite_array_query) return; } - rres = (struct php_sqlite_result *)emalloc(sizeof(*rres)); + rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres)); sqlite_query(NULL, db, sql, sql_len, (int)mode, 0, NULL, &rres, NULL TSRMLS_CC); if (db->last_err_code != SQLITE_OK) { if (rres) { @@ -2286,7 +2286,7 @@ PHP_FUNCTION(sqlite_single_query) return; } - rres = (struct php_sqlite_result *)emalloc(sizeof(*rres)); + rres = (struct php_sqlite_result *)ecalloc(1, sizeof(*rres)); sqlite_query(NULL, db, sql, sql_len, PHPSQLITE_NUM, 0, NULL, &rres, NULL TSRMLS_CC); if (db->last_err_code != SQLITE_OK) { if (rres) { -- 2.40.0