Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckS…

…ickOrOk())
php · Jul 7, 2015 · 26471eb · 26471eb
1 parent e41f600
commit 26471eb
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 2 deletions.
diff --git a/NEWS b/NEWS
@@ -18,6 +18,10 @@ PHP                                                                        NEWS
   . Fixed bug #69970 (Use-after-free vulnerability in
     spl_recursive_it_move_forward_ex()). (Laruence)
 
+- Sqlite3:
+  . Fixed bug #69972 (Use-after-free vulnerability in
+    sqlite3SafetyCheckSickOrOk()). (Laruence)
+
 09 Jul 2015, PHP 5.6.11
 
 - Core:

diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
@@ -287,7 +287,11 @@ PHP_METHOD(sqlite3, lastErrorCode)
 		return;
 	}
 
-	RETURN_LONG(sqlite3_errcode(db_obj->db));
+	if (db_obj->initialised) {
+		RETURN_LONG(sqlite3_errcode(db_obj->db));
+	} else {
+		RETURN_LONG(0);
+	}
 }
 /* }}} */
 
@@ -305,7 +309,11 @@ PHP_METHOD(sqlite3, lastErrorMsg)
 		return;
 	}
 
-	RETVAL_STRING((char *)sqlite3_errmsg(db_obj->db), 1);
+	if (db_obj->initialised) {
+		RETURN_STRING((char *)sqlite3_errmsg(db_obj->db), 1);
+	} else {
+		RETURN_EMPTY_STRING();
+	}
 }
 /* }}} */
 

diff --git a/ext/sqlite3/tests/bug69972.phpt b/ext/sqlite3/tests/bug69972.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk())
+--SKIPIF--
+<?php
+if (!extension_loaded('sqlite3')) die('skip');
+?>
+--FILE--
+<?php
+$db = new SQLite3(':memory:');
+echo "SELECTING from invalid table\n";
+$result = $db->query("SELECT * FROM non_existent_table");
+echo "Closing database\n";
+var_dump($db->close());
+echo "Done\n";
+
+// Trigger the use-after-free
+echo "Error Code: " . $db->lastErrorCode() . "\n";
+echo "Error Msg: " . $db->lastErrorMsg() . "\n";
+?>
+--EXPECTF--
+SELECTING from invalid table
+
+Warning: SQLite3::query(): Unable to prepare statement: 1, no such table: non_existent_table in %sbug69972.php on line %d
+Closing database
+bool(true)
+Done
+Error Code: 0
+Error Msg: