|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68673 out of bounds access
Submitted: 2014-12-28 23:20 UTC Modified: 2015-05-16 13:11 UTC
From: bugreports at internot dot info Assigned: cmb (profile)
Status: Not a bug Package: SQLite related
PHP Version: master-Git-2014-12-28 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
 [2014-12-28 23:20 UTC] bugreports at internot dot info

In /ext/sqlite3/libsqlite/sqlite3.c:

96895      fkLookupParent(pParse, iDb, pTo, pIdx, pFKey, aiCol, regOld, -1,isIgnore);

aiCol is an int, but it is used as an array:

96302    int iReg = aiCol[i] + regData + 1;

in the fkLookupParent() function.



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-28 23:26 UTC] bugreports at internot dot info
And here:

140572  rc = fts3SqlStmt(p, SQL_SELECT_CONTENT_BY_ROWID, &pSelect, &pRowid);
&pRowid is an int, but is called as an array in the fts3SqlStmt function:

139924      rc = sqlite3_bind_value(pStmt, i+1, apVal[i]);

 [2014-12-30 02:52 UTC]
-Package: *General Issues +Package: SQLite related
 [2015-05-16 13:11 UTC]
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2015-05-16 13:11 UTC]
I had a look at the bundled sqlite3.c from 2014-12-28[1], and there
the mentioned aiCol is an int* (not an int), and &rowId is an
sqlite3_value** (not an int).

[1] <>
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu May 23 09:01:32 2024 UTC