php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28679 Improper handling of datetime results
Submitted: 2004-06-07 20:25 UTC Modified: 2004-07-22 01:00 UTC
From: bmr at comtime dot com Assigned:
Status: No Feedback Package: Sybase (dblib) related
PHP Version: 4.3.4 OS: Linux
Private report: No CVE-ID: None
 [2004-06-07 20:25 UTC] bmr at comtime dot com
Description:
------------
There is a bug with php_sybase_get_column_content().  This is observed when you take a datetime column result and pass it into strtotime().  The problem seems to be related to the string not being null terminated.  Here is the part of the function with the problem:

switch (coltype(offset)) {
  case SYBBINARY:
  case SYBVARBINARY:
  case SYBIMAGE:
    res_length *= 2;
    break;
  case SYBCHAR:
  case SYBVARCHAR:
  case SYBTEXT:
    break;
  default:
  /* take no chances, no telling how big the result would really be */
    res_length += 20;
    break;
}

res_buf = (char *) emalloc(res_length+1);
memset(res_buf,' ',res_length+1);  /* XXX i'm sure there's a better way
                                                                                                          but i don't have sybase here to test
                                                                                                          991105 thies<at>thieso.net  */
                                dbconvert(NULL,coltype(offset),dbdata(sybase_ptr->link,offset), src_length,SYBCHAR,res_buf,res_length);
Z_STRLEN_P(result) = res_length;
Z_STRVAL_P(result) = res_buf;
Z_TYPE_P(result) = IS_STRING;

------------------------------ end code ------------------

This does not null terminate the string coming back which causes problems.  I would have thought that since the length is stored with the value the PHP would honor that and not go beyond that boundary, but this does not appear to be the case.  Adding this line after dbconvert() seems to fix the problem:
res_buf[res_length] = '\0';

But the whole "res_length += 20" thing scares me a little as well.

Reproduce code:
---------------
See description.  It would be hard to reproduce without setting up a database, etc.

Expected result:
----------------
strtotime() returns 0.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-07-22 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 00:01:30 2024 UTC