php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #67465 NULL Pointer dereference in odbc_handle_preparer
Submitted: 2014-06-17 16:55 UTC Modified: 2020-09-28 15:07 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: martin dot koegler at brz dot gv dot at Assigned: cmb (profile)
Status: Closed Package: PDO ODBC
PHP Version: 5.5.13 OS: any
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: martin dot koegler at brz dot gv dot at
New email:
PHP Version: OS:

 

 [2014-06-17 16:55 UTC] martin dot koegler at brz dot gv dot at 
Description:
------------
If SQLSetStmtAttr fails in odbc_handle_preparer (file odbc_driver.c), pdo_odbc_stmt_error is called. At this time, stmt->driver_data is still NULL.

pdo_odbc_error then tries to store the error data to einfo of the not present stmt->driver_data => SIGSEGV.

Second issue is, that caller of odbc_handle_preparer expects the error in the error structure of the db connection handle.

Possible fix:
--- ext/pdo_odbc/odbc_driver.c.orig     2014-06-17 18:18:14.529836822 +0200
+++ ext/pdo_odbc/odbc_driver.c  2014-06-17 18:41:55.907685218 +0200
@@ -67,7 +67,7 @@
        pdo_odbc_stmt *S = NULL;
        pdo_error_type *pdo_err = &dbh->error_code;

-       if (stmt) {
+       if (stmt && stmt->driver_data) {
                S = (pdo_odbc_stmt*)stmt->driver_data;

                einfo = &S->einfo;
@@ -185,7 +185,7 @@
        if (cursor_type != PDO_CURSOR_FWDONLY) {
                rc = SQLSetStmtAttr(S->stmt, SQL_ATTR_CURSOR_SCROLLABLE, (void*)SQL_SCROLLABLE, 0);
                if (rc != SQL_SUCCESS && rc != SQL_SUCCESS_WITH_INFO) {
-                       pdo_odbc_stmt_error("SQLSetStmtAttr: SQL_ATTR_CURSOR_SCROLLABLE");
+                       pdo_odbc_error(stmt->dbh, stmt, S->stmt, "SQLSetStmtAttr: SQL_ATTR_CURSOR_SCROLLABLE", __FILE__, __LINE__ TSRMLS_CC);
                        SQLFreeHandle(SQL_HANDLE_STMT, S->stmt);
                        if (nsql) {
                                efree(nsql);

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-09-28 15:07 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-09-28 15:12 UTC] cmb@php.net 
The following pull request has been associated:

Patch Name: Fix #67465: NULL Pointer dereference in odbc_handle_preparer
On GitHub:  https://github.com/php/php-src/pull/6225
Patch:      https://github.com/php/php-src/pull/6225.patch
 [2020-09-28 21:00 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6acfb79276809d70bafe91a45267c8a307ca900d
Log: Fix #67465: NULL Pointer dereference in odbc_handle_preparer
 [2020-09-28 21:00 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC