php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #1012 Crash in SQLServer Image Column Conversion
Submitted: 1998-12-29 09:58 UTC Modified: 2002-06-16 08:28 UTC
From: bro at mzv dot net Assigned:
Status: Not a bug Package: Sybase (dblib) related
PHP Version: 3.0.6 OS: Linux
Private report: No CVE-ID: None
 [1998-12-29 09:58 UTC] bro at mzv dot net
php3_sybase_get_column_content in sybase.c (DB-Lib)
crashes with buffer overflow when converting binary columns.
The result of the IMAGE/VARBINARY to CHAR conversion is a
hex string -> needs 2 bytes for each binary byte.

The Patch below fixes this and also adds a bit more space
for DATE conversions. Also works with MS-SQLServer.

---- cut ----
*** php-3.0.6/functions/sybase.c.orig	Fri Sep 11 01:57:23 1998
--- php-3.0.6/functions/sybase.c	Tue Dec 29 15:44:08 1998
***************
*** 637,639 ****
  				char *res_buf;
! 				int res_length = dbdatlen(sybase_ptr->link,offset);
  				register char *p;
--- 637,640 ----
  				char *res_buf;
! 				int dat_length = dbdatlen(sybase_ptr->link,offset);
! 				int res_length = dat_length;
  				register char *p;
***************
*** 641,644 ****
  				switch (coltype(offset)) {
- 					case SYBBINARY:
- 					case SYBVARBINARY:
  					case SYBCHAR:
--- 642,643 ----
***************
*** 646,648 ****
--- 645,652 ----
  					case SYBTEXT:
+ 						break;
+ 					case SYBBINARY:
+ 					case SYBVARBINARY:
  					case SYBIMAGE:
+ 						/* result is hex string */
+ 						res_length = (dat_length * 2) + 4;
  						break;
***************
*** 650,652 ****
  						/* take no chances, no telling how big the result would really be */
! 						res_length += 20;
  						break;
--- 654,656 ----
  						/* take no chances, no telling how big the result would really be */
! 						res_length += 40;
  						break;
***************
*** 655,657 ****
  				res_buf = (char *) emalloc(res_length+1);
! 				dbconvert(NULL,coltype(offset),dbdata(sybase_ptr->link,offset), res_length,SYBCHAR,res_buf,-1);
  		
--- 659,661 ----
  				res_buf = (char *) emalloc(res_length+1);
! 				res_length = dbconvert(NULL,coltype(offset),dbdata(sybase_ptr->link,offset), dat_length,SYBCHAR,res_buf,-1);
  		

---- cut ----

A Happy new year!

Bernd

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-16 08:28 UTC] sander@php.net
Thank you for taking the time to report a problem with PHP.
Unfortunately, PHP 3 is no longer supported. Please download
the latest version of PHP 4 from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC