php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #53463 sqlite3 columnName() segfaults on bad column_number
Submitted: 2010-12-03 18:01 UTC Modified: 2010-12-03 22:06 UTC
From: danielc at analysisandsolutions dot com Assigned: felipe (profile)
Status: Closed Package: SQLite related
PHP Version: 5.3SVN-2010-12-03 (SVN) OS: linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: danielc at analysisandsolutions dot com
New email:
PHP Version: OS:

 

 [2010-12-03 18:01 UTC] danielc at analysisandsolutions dot com 
Description:
------------
PHP's SQLite3Result::columnName() method produces a segmentation fault when column_number exceeds the column count.

Inside ext/sqlite3/sqlite3.c, PHP utlizes RETVAL_STRING for the data coming back from SQLite's sqlite3_column_name() function.  But inside ext/sqlite3/libsqlite/sqlite3.c, their sqlite3_column_name() function calls columnName(), which returns 0 on error conditions.

PHP's C code needs to be adjusted to account for mixed type results from sqlite3_column_name().  When making this fix, it seems PHP should return FALSE if sqlite3_column_name() produces 0.


Test script:
---------------
$db = new SQLite3(':memory:');

$db->exec('CREATE TABLE test (whatever INTEGER)');
$db->exec('INSERT INTO test (whatever) VALUES (1)');

$result = $db->query('SELECT * FROM test');
while ($row = $result->fetchArray(SQLITE3_NUM)) {
    var_dump($result->columnName(0));  // string(8) "whatever"

    // Seems returning false will be most appropriate.
    var_dump($result->columnName(3));  // Segmentation fault
}

$result->finalize();
$db->close();

echo "Done\n";


Expected result:
----------------
string(8) "whatever"
bool(false)
Done


Actual result:
--------------
string(8) "whatever"
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-03 22:05 UTC] felipe@php.net 
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&revision=305954
Log: - Fixed bug #53463 (sqlite3 columnName() segfaults on bad column_number)
 [2010-12-03 22:06 UTC] felipe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2010-12-03 22:06 UTC] felipe@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 11:01:29 2024 UTC