php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68298 OCI int overflow
Submitted: 2014-10-24 10:43 UTC Modified: 2015-11-06 15:39 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:3 of 4 (75.0%)
Same Version:1 (33.3%)
Same OS:0 (0.0%)
From: perrier dot p at gmail dot com Assigned: sixd
Status: Closed Package: OCI8 related
PHP Version: 5.6.2 OS: Debian 7
Private report: No CVE-ID:
 [2014-10-24 10:43 UTC] perrier dot p at gmail dot com
Description:
------------
If you have a NUMBER colonne which can store 64Bit int when you bind it, it will be converted to INT32 ( ub4 )


in file oci8_statement.c function php_oci_bind_by_name


 case SQLT_INT:
 case SQLT_NUM:
		 if (Z_TYPE_P(var) == IS_RESOURCE || Z_TYPE_P(var) == IS_OBJECT) {
				 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid variable used for bind");
				 return 1;
		 }
		 convert_to_long(var);
		 bind_data = (ub4 *)&Z_LVAL_P(var);
		 value_sz = sizeof(ub4);
		 mode = OCI_DEFAULT;
		 break;


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-28 19:07 UTC] m8r-f6bdu21 at mailinator dot com
I had the same issue:
---
$retValue = -1;
oci_bind_by_name($stmt, ':retValue', $retValue, -1, SQLT_INT);
… // $retValue is set to 0 by statement
oci_execute($stmt);
---
In 64 bit this gives
- PHP: $retValue = 0xFFFFFFFFFFFFFFFF;
- oci: Only lower 32 bit of $retValue is set to 0
- PHP: $retValue = 0xFFFFFFFF00000000;

Since 11.2, OCI supports 64 bit integers:
http://docs.oracle.com/cd/E11882_01/appdev.112/e10646/oci03typ.htm#LNOCI039

I changed the OCI code to:
  bind_data = (ub8 *)&Z_LVAL_P(var);
  value_sz = sizeof(ub8);
and it seems to work so I think the fix is fairly simple.
A check should be done to see if OCI version >= 11.2 and if we are building 64 bit, use ub8 instead of ub4.
 [2015-09-04 22:42 UTC] sixd@php.net
-Assigned To: +Assigned To: sixd
 [2015-10-26 18:28 UTC] zulrang at gmail dot com
Can confirm I've had the same issue, but it was a much bigger problem.

I'm running on Solaris/SPARC, and on SPARC architecture, it's passing only the UPPER 32-bits, resulting in conversion of numbers like 211 to 949187772415.
 [2015-11-06 15:39 UTC] sixd@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Thu Jul 20 18:01:35 2017 UTC