php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68673 out of bounds access
Submitted: 2014-12-28 23:20 UTC Modified: 2015-05-16 13:11 UTC
From: bugreports at internot dot info Assigned: cmb (profile)
Status: Not a bug Package: SQLite related
PHP Version: master-Git-2014-12-28 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
 [2014-12-28 23:20 UTC] bugreports at internot dot info
Description:
------------
Hi,

In /ext/sqlite3/libsqlite/sqlite3.c:

96895      fkLookupParent(pParse, iDb, pTo, pIdx, pFKey, aiCol, regOld, -1,isIgnore);

aiCol is an int, but it is used as an array:

96302    int iReg = aiCol[i] + regData + 1;

in the fkLookupParent() function.

Thanks,


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-28 23:26 UTC] bugreports at internot dot info
And here:

140572  rc = fts3SqlStmt(p, SQL_SELECT_CONTENT_BY_ROWID, &pSelect, &pRowid);
&pRowid is an int, but is called as an array in the fts3SqlStmt function:


139924      rc = sqlite3_bind_value(pStmt, i+1, apVal[i]);


Thanks,
 [2014-12-30 02:52 UTC] aharvey@php.net
-Package: *General Issues +Package: SQLite related
 [2015-05-16 13:11 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2015-05-16 13:11 UTC] cmb@php.net
I had a look at the bundled sqlite3.c from 2014-12-28[1], and there
the mentioned aiCol is an int* (not an int), and &rowId is an
sqlite3_value** (not an int).

[1] <https://github.com/php/php-src/blob/fccd1eda5fe440105d051f4cbaa77ced95b674f0/ext/sqlite3/libsqlite/sqlite3.c>
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sun Feb 05 05:05:50 2023 UTC