php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #81740 PDO::quote() may return unquoted string
Submitted: 2022-10-29 13:25 UTC Modified: 2022-12-19 06:27 UTC
From: cmb@php.net Assigned: stas (profile)
Status: Closed Package: PDO SQLite
PHP Version: 7.4Git-2022-10-29 (Git) OS: *
Private report: No CVE-ID: 2022-31631
 [2022-10-29 13:25 UTC] cmb@php.net
Description:
------------
Due to an uncaught integer overflow, PDO::quote() of PDO_SQLite
may return a not properly quoted string.  The exact details likely
depend on the implementation of sqlite3_snprintf(), but with
recent versions (tested sqlite 3.39.2 and sqlite 3.39.4) it is
possible to force the function to return a single apostrophe, if
the function is called on user supplied input without any length
restrictions in place (common memory_limit settings should prevent
that though, and usually also post_max_size etc.)

The problem is that the length parameter of sqlite3_snprintf() is
of type int, but we're passing an unrestricted zend_long value, so
overflow may occur.  This renders the previous safe_emalloc()
practically useless, since it only prevents overflow of size_t
values.  For 32bit architecture (where we assume sizeof(zend_long)
== sizeof(int)) this is not a problem, but for 64bit architectures
it is, as the given test script demonstrates.


Test script:
---------------
<?php
$pdo = new PDO("sqlite::memory:");
$string = str_repeat("a", 0x80000000);
var_dump($pdo->quote($string));
?>

Expected result:
----------------
A properly quoted string, false, or some other error indication.

Actual result:
--------------
string(1) "'"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-10-29 13:26 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2022-10-29 14:09 UTC] cmb@php.net
Info about a recently fixed SQLite3 vulnerability which lead me to
discover this issue:
<https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/>.
 [2022-10-31 16:24 UTC] cmb@php.net
-Assigned To: cmb +Assigned To: stas
 [2022-10-31 16:24 UTC] cmb@php.net
I've checked with SQLite3 3.39.1 now, and there we get

string(2) "''"

So this is just an issue with SQLite3 ≥ 3.39.2.

Anyhow, suggested patch (for PHP-8.0, since 7.4 likely won't have
another release):
<https://gist.github.com/cmb69/084933e635c9cdb9be1b94678bda9754>.

It might make sense to additionally raise an error in this case.
 [2022-12-19 06:22 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2022-31631
 [2022-12-19 06:27 UTC] git@php.net
Automatic comment on behalf of cmb69 (author) and smalyshev (committer)
Revision: https://github.com/php/php-src/commit/921b6813da3237a83e908998483f46ae3d8bacba
Log: Fix #81740: PDO::quote() may return unquoted string
 [2022-12-19 06:27 UTC] git@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC