sqlite3 columnName() segfaults on bad column_number
| Bug #53463 | sqlite3 columnName() segfaults on bad column_number | ||||
|---|---|---|---|---|---|
| Submitted: | 2010-12-03 18:01 UTC | Modified: | 2010-12-03 22:06 UTC | ||
| From: | danielc at analysisandsolutions dot com | Assigned: | felipe (profile) | ||
| Status: | Closed | Package: | SQLite related | ||
| PHP Version: | 5.3SVN-2010-12-03 (SVN) | OS: | linux | ||
| Private report: | No | CVE-ID: | None | ||
[2010-12-03 18:01 UTC] danielc at analysisandsolutions dot com
Description:
------------
PHP's SQLite3Result::columnName() method produces a segmentation fault when column_number exceeds the column count.
Inside ext/sqlite3/sqlite3.c, PHP utlizes RETVAL_STRING for the data coming back from SQLite's sqlite3_column_name() function. But inside ext/sqlite3/libsqlite/sqlite3.c, their sqlite3_column_name() function calls columnName(), which returns 0 on error conditions.
PHP's C code needs to be adjusted to account for mixed type results from sqlite3_column_name(). When making this fix, it seems PHP should return FALSE if sqlite3_column_name() produces 0.
Test script:
---------------
$db = new SQLite3(':memory:');
$db->exec('CREATE TABLE test (whatever INTEGER)');
$db->exec('INSERT INTO test (whatever) VALUES (1)');
$result = $db->query('SELECT * FROM test');
while ($row = $result->fetchArray(SQLITE3_NUM)) {
var_dump($result->columnName(0)); // string(8) "whatever"
// Seems returning false will be most appropriate.
var_dump($result->columnName(3)); // Segmentation fault
}
$result->finalize();
$db->close();
echo "Done\n";
Expected result:
----------------
string(8) "whatever"
bool(false)
Done
Actual result:
--------------
string(8) "whatever"
Segmentation fault
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2010-12-03 22:06 UTC] felipe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
[2010-12-03 22:06 UTC] felipe@php.net