php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53463 sqlite3 columnName() segfaults on bad column_number
Submitted: 2010-12-03 18:01 UTC Modified: 2010-12-03 22:06 UTC
From: danielc at analysisandsolutions dot com Assigned: felipe (profile)
Status: Closed Package: SQLite related
PHP Version: 5.3SVN-2010-12-03 (SVN) OS: linux
Private report: No CVE-ID: None
 [2010-12-03 18:01 UTC] danielc at analysisandsolutions dot com
Description:
------------
PHP's SQLite3Result::columnName() method produces a segmentation fault when column_number exceeds the column count.

Inside ext/sqlite3/sqlite3.c, PHP utlizes RETVAL_STRING for the data coming back from SQLite's sqlite3_column_name() function.  But inside ext/sqlite3/libsqlite/sqlite3.c, their sqlite3_column_name() function calls columnName(), which returns 0 on error conditions.

PHP's C code needs to be adjusted to account for mixed type results from sqlite3_column_name().  When making this fix, it seems PHP should return FALSE if sqlite3_column_name() produces 0.


Test script:
---------------
$db = new SQLite3(':memory:');

$db->exec('CREATE TABLE test (whatever INTEGER)');
$db->exec('INSERT INTO test (whatever) VALUES (1)');

$result = $db->query('SELECT * FROM test');
while ($row = $result->fetchArray(SQLITE3_NUM)) {
    var_dump($result->columnName(0));  // string(8) "whatever"

    // Seems returning false will be most appropriate.
    var_dump($result->columnName(3));  // Segmentation fault
}

$result->finalize();
$db->close();

echo "Done\n";


Expected result:
----------------
string(8) "whatever"
bool(false)
Done


Actual result:
--------------
string(8) "whatever"
Segmentation fault


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-03 22:05 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&revision=305954
Log: - Fixed bug #53463 (sqlite3 columnName() segfaults on bad column_number)
 [2010-12-03 22:06 UTC] felipe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2010-12-03 22:06 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC