php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67134 missing null terminator for uniqueidentifier value
Submitted: 2014-04-26 08:56 UTC Modified: -
From: kaido at tradenet dot ee Assigned:
Status: Closed Package: PDO DBlib
PHP Version: 5.4Git-2014-04-26 (Git) OS: debian
Private report: No CVE-ID: None
 [2014-04-26 08:56 UTC] kaido at tradenet dot ee
Description:
------------
PHP 5.4.29-dev (cli) (built: Apr 24 2014 16:49:28) (DEBUG)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies


pdo_dblib does not set null terminator for returned uniqueidentifier column


Test script:
---------------
<?php

        $dsn = "dblib:host=xxx.xxx.xxx;dbname=xxx";
        $pdo = new PDO($dsn, 'xxxx', 'xxxx');

        $stmt = $pdo->query('select newid() ');
        $res =  $stmt->fetch();

        var_dump($res);

        unset ($stmt);

?>


Expected result:
----------------
array(2) {
  [""]=>
  string(36) "29E3B7BD-63DD-47C5-B58C-E41F12E4CAE3"
  [0]=>
  string(36) "29E3B7BD-63DD-47C5-B58C-E41F12E4CAE3"
}



Actual result:
--------------
array(2) {
  [""]=>
  string(36) "29E3B7BD-63DD-47C5-B58C-E41F12E4CAE3"
  [0]=>
  string(36) "29E3B7BD-63DD-47C5-B58C-E41F12E4CAE3"
}

Warning: String is not zero-terminated (29E3B7BD-63DD-47C5-B58C-E41F12E4CAE3 ) (source: /root/php/php-src/Zend/zend_execute_API.c:436) in Unknown on line 0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-04-26 09:01 UTC] kaido at tradenet dot ee
The bug is in ext/pdo_dblib/dblib_stmt.c: pdo_dblib_stmt_get_col()


current code:
                case SQLUNIQUE: {
                        *len = 36+1;
                        tmp_ptr = emalloc(*len + 1);

                        /* uniqueidentifier is a 16-byte binary number, convert to 32 char hex string */
                        *len = dbconvert(NULL, SQLUNIQUE, *ptr, *len, SQLCHAR, tmp_ptr, *len);
                        php_strtoupper(tmp_ptr, *len);
                        *ptr = tmp_ptr;
                        break;
                }

the length is correctly set to 36+1 (reserving 1 for the null terminator), but the terminator itselt is not set. Also, the comment there is outdated and no longer relevant, so removed.

the code should be as follows:

                case SQLUNIQUE: {
                        *len = 36+1;
                        tmp_ptr = emalloc(*len + 1);

                        *len = dbconvert(NULL, SQLUNIQUE, *ptr, *len, SQLCHAR, tmp_ptr, *len);
                        php_strtoupper(tmp_ptr, *len);
                        tmp_ptr[36] = '\0';
                        *ptr = tmp_ptr;
                        break;


Can someome with better knowledge of the code confirm my observations, and commit the fix, please.
 [2014-10-21 04:46 UTC] ssufficool@php.net
Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=09cf64678a76fbbe9eb897a128b65dc5618f2ad1
Log: Fix bug #67134 (PDO_DBLIB Missing null string terminator)
 [2014-10-21 04:46 UTC] ssufficool@php.net
-Status: Open +Status: Closed
 [2014-10-24 20:29 UTC] ab@php.net
Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=09cf64678a76fbbe9eb897a128b65dc5618f2ad1
Log: Fix bug #67134 (PDO_DBLIB Missing null string terminator)
 [2016-07-20 11:40 UTC] davey@php.net
Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=09cf64678a76fbbe9eb897a128b65dc5618f2ad1
Log: Fix bug #67134 (PDO_DBLIB Missing null string terminator)
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Nov 30 21:01:23 2020 UTC