From: [EMAIL PROTECTED]
Operating system: Linux
PHP version: 4.2.3
PHP Bug Type: Sybase (dblib) related
Bug description: Buffer overflow returning binary
dbconvert convert binary -> char returning binary representation so 0x6789
(2 bytes) became '6789' (4 single byte characters)
When converting back to PHP (in ext/sybase/php_sybase_db.c) you pass the
same size buffer leading to a buffer overflow.
Following patch fix problem. It also fix another problem (it remove last
characters from conversion) and avoid future possible buffer overflows due
to strange types (like UNIQUEIDs in MSSQL)
diff -r -u10 php-4.2.3/ext/sybase/php_sybase_db.c
php-4.2.3mod/ext/sybase/php_sybase_db.c
--- php-4.2.3/ext/sybase/php_sybase_db.c Wed Mar 6 16:59:42 2002
+++ php-4.2.3mod/ext/sybase/php_sybase_db.c Sun Nov 17 20:08:31 2002
@@ -710,49 +710,51 @@
/*case SYBFLT8:*/
case SYBREAL: {
Z_DVAL_P(result) = (double) floatcol(offset);
Z_TYPE_P(result) = IS_DOUBLE;
break;
}
default: {
if (dbwillconvert(coltype(offset),SYBCHAR)) {
char *res_buf;
int res_length = dbdatlen(sybase_ptr->link,offset);
+ int src_length = res_length;
register char *p;
switch (coltype(offset)) {
case SYBBINARY:
case SYBVARBINARY:
+ res_length *= 2;
+ break;
case SYBCHAR:
case SYBVARCHAR:
case SYBTEXT:
case SYBIMAGE:
break;
default:
/* take no chances, no telling how big
the result would really be
*/
res_length += 20;
break;
}
res_buf = (char *) emalloc(res_length+1);
memset(res_buf,' ',res_length+1); /* XXX i'm sure
there's a better
way
but i don't have sybase here to test
991105 [EMAIL PROTECTED] */
-
dbconvert(NULL,coltype(offset),dbdata(sybase_ptr->link,offset),
res_length,SYBCHAR,res_buf,-1);
+
+dbconvert(NULL,coltype(offset),dbdata(sybase_ptr->link,offset),
src_length,SYBCHAR,res_buf,res_length);
/* get rid of trailing spaces */
p = res_buf + res_length;
- while (*p == ' ') {
+ while (*p == ' ')
p--;
- res_length--;
- }
*(++p) = 0; /* put a trailing NULL */
+ res_length = p - res_buf;
Z_STRLEN_P(result) = res_length;
Z_STRVAL_P(result) = res_buf;
Z_TYPE_P(result) = IS_STRING;
} else {
php_error(E_WARNING,"Sybase: column %d has unknown
data type (%d)",
offset, coltype(offset));
ZVAL_FALSE(result);
}
}
}
Frediano Ziglio
--
Edit bug report at http://bugs.php.net/?id=20467&edit=1
--
Try a CVS snapshot: http://bugs.php.net/fix.php?id=20467&r=trysnapshot
Fixed in CVS: http://bugs.php.net/fix.php?id=20467&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=20467&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=20467&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=20467&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=20467&r=support
Expected behavior: http://bugs.php.net/fix.php?id=20467&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=20467&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=20467&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=20467&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=20467&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=20467&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=20467&r=isapi
