ID: 48913 Updated by: fel...@php.net Reported By: naf at altlinux dot ru -Status: Open +Status: Closed Bug Type: PDO related Operating System: * PHP Version: 5.3CVS-2009-07-14 (snap) New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Fixed in 5.2, 5.3 and HEAD. Thanks. Previous Comments: ------------------------------------------------------------------------ [2009-07-14 12:06:39] naf at altlinux dot ru Description: ------------ In odbc_stmt.c, in functions odbc_stmt_set_param(), line 766 and odbc_stmt_get_attr(), line 798, error code "IM0001" is placed in the (pdo_odbc_stmt *)S->einfo.last_state. The length of this error code string ("IM0001") is 7 bytes, but last_state field declared as (php_pdo_odbc_int.h, line 121): char last_state[6]. So buffer overflow will happen when executing 'strcpy(S->einfo.last_state, "IM0001")'. Comparing to other PDO drivers it seems that error code should be 5 char in length, i.e. "IM001". ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=48913&edit=1
