php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74625 Integer overflow in oci_bind_array_by_name
Submitted: 2017-05-21 17:31 UTC Modified: 2017-05-21 23:13 UTC
From: ingmar dot php at irsoft dot de Assigned: sixd (profile)
Status: Closed Package: OCI8 related
PHP Version: 7.1.5 OS: Any
Private report: No CVE-ID: None
 [2017-05-21 17:31 UTC] ingmar dot php at irsoft dot de
Description:
------------
The same problem as fixed in bug #68298 for oci_bind_by_name exists in oci_bind_array_by_name as well. I have a tested patch and will submit it soon™.

Test script:
---------------
$sql = '
  BEGIN
      SELECT -1 BULK COLLECT INTO :a FROM DUAL;
  END;
';

$stmt = oci_parse($conn, $sql);

oci_bind_array_by_name($stmt, ':a', $a, 5000, 10, SQLT_INT);

oci_execute($stmt);

var_dump($a);

Expected result:
----------------
Array
(
    [0] => -1
)

Actual result:
--------------
Array
(
    [0] => 4294967295
)

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-05-21 23:13 UTC] sixd@php.net
-Assigned To: +Assigned To: sixd
 [2017-06-21 05:56 UTC] sixd@php.net
Automatic comment on behalf of ingmar.runge@sixt.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fa3615f14ee9c0be361d8c45251f9d30cfe49900
Log: Fixed bug #74625 (Integer overflow in oci_bind_array_by_name).
 [2017-06-21 05:56 UTC] sixd@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 11:01:29 2024 UTC