Skip to content

Commit 94ac1cd

Browse files
cmb69cmb69
committed
Merge branch 'PHP-8.4'
* PHP-8.4: Fix phpGH-16450: PDO_ODBC can inject garbage into field values
2 parents 50a3f01 + 331bd95 commit 94ac1cd

File tree

3 files changed

+39
-3
lines changed

3 files changed

+39
-3
lines changed

ext/pdo_odbc/odbc_stmt.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -689,11 +689,12 @@ static int odbc_stmt_get_col(pdo_stmt_t *stmt, int colno, zval *result, enum pdo
689689
/* read block. 256 bytes => 255 bytes are actually read, the last 1 is NULL */
690690
rc = SQLGetData(S->stmt, colno+1, C->is_unicode ? SQL_C_BINARY : SQL_C_CHAR, buf2, 256, &C->fetched_len);
691691

692-
/* adjust `used` in case we have length info from the driver */
692+
/* adjust `used` in case we have proper length info from the driver */
693693
if (orig_fetched_len >= 0 && C->fetched_len >= 0) {
694694
SQLLEN fixed_used = orig_fetched_len - C->fetched_len;
695-
ZEND_ASSERT(fixed_used <= used + 1);
696-
used = fixed_used;
695+
if (fixed_used <= used + 1) {
696+
used = fixed_used;
697+
}
697698
}
698699

699700
/* resize output buffer and reassemble block */

ext/pdo_odbc/tests/gh16450.phpt

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
--TEST--
2+
GH-16450 (PDO_ODBC can inject garbage into field values)
3+
--EXTENSIONS--
4+
pdo_odbc
5+
--SKIPIF--
6+
<?php
7+
$dbpath = __DIR__ . "/test.mdb";
8+
try {
9+
new PDO("odbc:Driver={Microsoft Access Driver (*.mdb, *.accdb)};Dbq=$dbpath;Uid=Admin;Pwd=;");
10+
} catch (PDOException $ex) {
11+
die("skip Cannot connect to MS Access database");
12+
}
13+
?>
14+
--FILE--
15+
<?php
16+
$dbpath = __DIR__ . "/test.mdb";
17+
$pdo = new PDO("odbc:Driver={Microsoft Access Driver (*.mdb, *.accdb)};Dbq=$dbpath;Uid=Admin;Pwd=;");
18+
19+
$pdo->exec("CREATE TABLE gh16450 (Id INT, MyLongText LONGCHAR)");
20+
$pdo->exec(sprintf("INSERT INTO gh16450 VALUES (1, '%s')", str_repeat("_", 2048)));
21+
$pdo->exec(sprintf("INSERT INTO gh16450 VALUES (1, '%s')", str_repeat("_", 2049)));
22+
23+
$stmt = $pdo->query("SELECT MyLongText FROM gh16450");
24+
var_dump($stmt->fetchColumn(0));
25+
var_dump($stmt->fetchColumn(0));
26+
?>
27+
--CLEAN--
28+
<?php
29+
$dbpath = __DIR__ . "/test.mdb";
30+
$pdo = new PDO("odbc:Driver={Microsoft Access Driver (*.mdb, *.accdb)};Dbq=$dbpath;Uid=Admin;Pwd=;");
31+
$pdo->exec("DROP TABLE gh16450");
32+
?>
33+
--EXPECT--
34+
string(2048) "________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________"
35+
string(2049) "_________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________"

ext/pdo_odbc/tests/test.mdb

76 KB
Binary file not shown.

0 commit comments

Comments
 (0)