|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #81740 PDO::quote() may return unquoted string
Submitted: 2022-10-29 13:25 UTC Modified: 2022-12-19 06:27 UTC
From: Assigned: stas (profile)
Status: Closed Package: PDO SQLite
PHP Version: 7.4Git-2022-10-29 (Git) OS: *
Private report: No CVE-ID: 2022-31631
 [2022-10-29 13:25 UTC]
Due to an uncaught integer overflow, PDO::quote() of PDO_SQLite
may return a not properly quoted string.  The exact details likely
depend on the implementation of sqlite3_snprintf(), but with
recent versions (tested sqlite 3.39.2 and sqlite 3.39.4) it is
possible to force the function to return a single apostrophe, if
the function is called on user supplied input without any length
restrictions in place (common memory_limit settings should prevent
that though, and usually also post_max_size etc.)

The problem is that the length parameter of sqlite3_snprintf() is
of type int, but we're passing an unrestricted zend_long value, so
overflow may occur.  This renders the previous safe_emalloc()
practically useless, since it only prevents overflow of size_t
values.  For 32bit architecture (where we assume sizeof(zend_long)
== sizeof(int)) this is not a problem, but for 64bit architectures
it is, as the given test script demonstrates.

Test script:
$pdo = new PDO("sqlite::memory:");
$string = str_repeat("a", 0x80000000);

Expected result:
A properly quoted string, false, or some other error indication.

Actual result:
string(1) "'"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2022-10-29 13:26 UTC]
-Assigned To: +Assigned To: cmb
 [2022-10-29 14:09 UTC]
Info about a recently fixed SQLite3 vulnerability which lead me to
discover this issue:
 [2022-10-31 16:24 UTC]
-Assigned To: cmb +Assigned To: stas
 [2022-10-31 16:24 UTC]
I've checked with SQLite3 3.39.1 now, and there we get

string(2) "''"

So this is just an issue with SQLite3 ≥ 3.39.2.

Anyhow, suggested patch (for PHP-8.0, since 7.4 likely won't have
another release):

It might make sense to additionally raise an error in this case.
 [2022-12-19 06:22 UTC]
-CVE-ID: +CVE-ID: 2022-31631
 [2022-12-19 06:27 UTC]
Automatic comment on behalf of cmb69 (author) and smalyshev (committer)
Log: Fix #81740: PDO::quote() may return unquoted string
 [2022-12-19 06:27 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Jun 22 23:01:29 2024 UTC