|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53463 sqlite3 columnName() segfaults on bad column_number
Submitted: 2010-12-03 18:01 UTC Modified: 2010-12-03 22:06 UTC
From: danielc at analysisandsolutions dot com Assigned: felipe
Status: Closed Package: SQLite related
PHP Version: 5.3SVN-2010-12-03 (SVN) OS: linux
Private report: No CVE-ID:
 [2010-12-03 18:01 UTC] danielc at analysisandsolutions dot com
PHP's SQLite3Result::columnName() method produces a segmentation fault when column_number exceeds the column count.

Inside ext/sqlite3/sqlite3.c, PHP utlizes RETVAL_STRING for the data coming back from SQLite's sqlite3_column_name() function.  But inside ext/sqlite3/libsqlite/sqlite3.c, their sqlite3_column_name() function calls columnName(), which returns 0 on error conditions.

PHP's C code needs to be adjusted to account for mixed type results from sqlite3_column_name().  When making this fix, it seems PHP should return FALSE if sqlite3_column_name() produces 0.

Test script:
$db = new SQLite3(':memory:');

$db->exec('CREATE TABLE test (whatever INTEGER)');
$db->exec('INSERT INTO test (whatever) VALUES (1)');

$result = $db->query('SELECT * FROM test');
while ($row = $result->fetchArray(SQLITE3_NUM)) {
    var_dump($result->columnName(0));  // string(8) "whatever"

    // Seems returning false will be most appropriate.
    var_dump($result->columnName(3));  // Segmentation fault


echo "Done\n";

Expected result:
string(8) "whatever"

Actual result:
string(8) "whatever"
Segmentation fault


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-03 22:05 UTC]
Automatic comment from SVN on behalf of felipe
Log: - Fixed bug #53463 (sqlite3 columnName() segfaults on bad column_number)
 [2010-12-03 22:06 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2010-12-03 22:06 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Sun Oct 04 11:01:30 2015 UTC