From 21975f388e884e0154c625ee9c18bfc6a888bddc Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sat, 17 Aug 2019 14:03:33 +0200 Subject: [PATCH 1/3] Implement NUL byte checks for dbnames Since we're passing these parameter to C functions accepting `char*` without any further checking, we should reject strings with NUL bytes in the first place. --- ext/sqlite3/sqlite3.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c index fa0d91bca4043..96a1fa11299dc 100644 --- a/ext/sqlite3/sqlite3.c +++ b/ext/sqlite3/sqlite3.c @@ -1300,6 +1300,11 @@ PHP_METHOD(sqlite3, openBlob) return; } + if (ZEND_NUM_ARGS() >= 4 && CHECK_NULL_PATH(dbname, dbname_len)) { + zend_type_error("dbname must not contain NUL bytes"); + return; + } + sqlite_flags = (flags & SQLITE_OPEN_READWRITE) ? 1 : 0; if (sqlite3_blob_open(db_obj->db, dbname, table, column, rowid, sqlite_flags, &blob) != SQLITE_OK) { @@ -1368,6 +1373,13 @@ PHP_METHOD(sqlite3, backup) return; } + if (ZEND_NUM_ARGS() >= 2 && CHECK_NULL_PATH(source_dbname, source_dbname_length) + || ZEND_NUM_ARGS() >= 3 && CHECK_NULL_PATH(destination_dbname, destination_dbname_length) + ) { + zend_type_error("dbname must not contain NUL bytes"); + return; + } + destination_obj = Z_SQLITE3_DB_P(destination_zval); SQLITE3_CHECK_INITIALIZED(destination_obj, destination_obj->initialised, SQLite3) From 305451ebfc509088b247644b41f2c9fb17597329 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sat, 17 Aug 2019 14:30:41 +0200 Subject: [PATCH 2/3] Add suggested parentheses --- ext/sqlite3/sqlite3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c index 96a1fa11299dc..45a18c3624f57 100644 --- a/ext/sqlite3/sqlite3.c +++ b/ext/sqlite3/sqlite3.c @@ -1373,8 +1373,8 @@ PHP_METHOD(sqlite3, backup) return; } - if (ZEND_NUM_ARGS() >= 2 && CHECK_NULL_PATH(source_dbname, source_dbname_length) - || ZEND_NUM_ARGS() >= 3 && CHECK_NULL_PATH(destination_dbname, destination_dbname_length) + if ((ZEND_NUM_ARGS() >= 2 && CHECK_NULL_PATH(source_dbname, source_dbname_length)) + || (ZEND_NUM_ARGS() >= 3 && CHECK_NULL_PATH(destination_dbname, destination_dbname_length)) ) { zend_type_error("dbname must not contain NUL bytes"); return; From fb2337b2ace5d1e650ffec917991cf2ddb4d35af Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 10 Sep 2019 13:02:59 +0200 Subject: [PATCH 3/3] Throw ValueError instead of TypeError --- ext/sqlite3/sqlite3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c index 45a18c3624f57..39b015e2f912e 100644 --- a/ext/sqlite3/sqlite3.c +++ b/ext/sqlite3/sqlite3.c @@ -1301,7 +1301,7 @@ PHP_METHOD(sqlite3, openBlob) } if (ZEND_NUM_ARGS() >= 4 && CHECK_NULL_PATH(dbname, dbname_len)) { - zend_type_error("dbname must not contain NUL bytes"); + zend_value_error("dbname must not contain NUL bytes"); return; } @@ -1376,7 +1376,7 @@ PHP_METHOD(sqlite3, backup) if ((ZEND_NUM_ARGS() >= 2 && CHECK_NULL_PATH(source_dbname, source_dbname_length)) || (ZEND_NUM_ARGS() >= 3 && CHECK_NULL_PATH(destination_dbname, destination_dbname_length)) ) { - zend_type_error("dbname must not contain NUL bytes"); + zend_value_error("dbname must not contain NUL bytes"); return; }