From 454f2102935c1199e50c6d7482b7319c69f037ea Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Mon, 19 Sep 2016 18:21:08 +0200 Subject: php-sqlsrv: fix buffer overflow + fix reported version --- REFLECTION | 333 +++++++++++++++++++++++++++++++++++++++++++++++++++++ php-sqlsrv.spec | 26 ++++- sqlsrv-pr157.patch | 45 ++++++++ 3 files changed, 403 insertions(+), 1 deletion(-) create mode 100644 REFLECTION create mode 100644 sqlsrv-pr157.patch diff --git a/REFLECTION b/REFLECTION new file mode 100644 index 0000000..9282ac6 --- /dev/null +++ b/REFLECTION @@ -0,0 +1,333 @@ +Extension [ extension #115 sqlsrv version 4.0.4 ] { + + - INI { + Entry [ sqlsrv.WarningsReturnAsErrors ] + Current = '1' + } + Entry [ sqlsrv.LogSeverity ] + Current = '0' + } + Entry [ sqlsrv.LogSubsystems ] + Current = '0' + } + Entry [ sqlsrv.ClientBufferMaxKBSize ] + Current = '10240' + } + } + + - Constants [74] { + Constant [ integer SQLSRV_ERR_ERRORS ] { 0 } + Constant [ integer SQLSRV_ERR_WARNINGS ] { 1 } + Constant [ integer SQLSRV_ERR_ALL ] { 2 } + Constant [ integer SQLSRV_LOG_SYSTEM_OFF ] { 0 } + Constant [ integer SQLSRV_LOG_SYSTEM_INIT ] { 1 } + Constant [ integer SQLSRV_LOG_SYSTEM_CONN ] { 2 } + Constant [ integer SQLSRV_LOG_SYSTEM_STMT ] { 4 } + Constant [ integer SQLSRV_LOG_SYSTEM_UTIL ] { 8 } + Constant [ integer SQLSRV_LOG_SYSTEM_ALL ] { -1 } + Constant [ integer SQLSRV_LOG_SEVERITY_ERROR ] { 1 } + Constant [ integer SQLSRV_LOG_SEVERITY_WARNING ] { 2 } + Constant [ integer SQLSRV_LOG_SEVERITY_NOTICE ] { 4 } + Constant [ integer SQLSRV_LOG_SEVERITY_ALL ] { -1 } + Constant [ integer SQLSRV_FETCH_NUMERIC ] { 1 } + Constant [ integer SQLSRV_FETCH_ASSOC ] { 2 } + Constant [ integer SQLSRV_FETCH_BOTH ] { 3 } + Constant [ integer SQLSRV_PHPTYPE_NULL ] { 1 } + Constant [ integer SQLSRV_PHPTYPE_INT ] { 2 } + Constant [ integer SQLSRV_PHPTYPE_FLOAT ] { 3 } + Constant [ integer SQLSRV_PHPTYPE_DATETIME ] { 5 } + Constant [ string SQLSRV_ENC_BINARY ] { binary } + Constant [ string SQLSRV_ENC_CHAR ] { char } + Constant [ integer SQLSRV_NULLABLE_NO ] { 0 } + Constant [ integer SQLSRV_NULLABLE_YES ] { 1 } + Constant [ integer SQLSRV_NULLABLE_UNKNOWN ] { 2 } + Constant [ integer SQLSRV_SQLTYPE_BIGINT ] { -5 } + Constant [ integer SQLSRV_SQLTYPE_BIT ] { -7 } + Constant [ integer SQLSRV_SQLTYPE_DATETIME ] { 25177693 } + Constant [ integer SQLSRV_SQLTYPE_FLOAT ] { 6 } + Constant [ integer SQLSRV_SQLTYPE_IMAGE ] { -4 } + Constant [ integer SQLSRV_SQLTYPE_INT ] { 4 } + Constant [ integer SQLSRV_SQLTYPE_MONEY ] { 33564163 } + Constant [ integer SQLSRV_SQLTYPE_NTEXT ] { -10 } + Constant [ integer SQLSRV_SQLTYPE_TEXT ] { -1 } + Constant [ integer SQLSRV_SQLTYPE_REAL ] { 7 } + Constant [ integer SQLSRV_SQLTYPE_SMALLDATETIME ] { 8285 } + Constant [ integer SQLSRV_SQLTYPE_SMALLINT ] { 5 } + Constant [ integer SQLSRV_SQLTYPE_SMALLMONEY ] { 33559555 } + Constant [ integer SQLSRV_SQLTYPE_TIMESTAMP ] { 4606 } + Constant [ integer SQLSRV_SQLTYPE_TINYINT ] { -6 } + Constant [ integer SQLSRV_SQLTYPE_UDT ] { -151 } + Constant [ integer SQLSRV_SQLTYPE_UNIQUEIDENTIFIER ] { -11 } + Constant [ integer SQLSRV_SQLTYPE_XML ] { -152 } + Constant [ integer SQLSRV_SQLTYPE_DATE ] { 5211 } + Constant [ integer SQLSRV_SQLTYPE_TIME ] { 58728806 } + Constant [ integer SQLSRV_SQLTYPE_DATETIMEOFFSET ] { 58738021 } + Constant [ integer SQLSRV_SQLTYPE_DATETIME2 ] { 58734173 } + Constant [ integer SQLSRV_SQLTYPE_DECIMAL ] { 3 } + Constant [ integer SQLSRV_SQLTYPE_NUMERIC ] { 2 } + Constant [ integer SQLSRV_SQLTYPE_CHAR ] { 1 } + Constant [ integer SQLSRV_SQLTYPE_NCHAR ] { -8 } + Constant [ integer SQLSRV_SQLTYPE_VARCHAR ] { 12 } + Constant [ integer SQLSRV_SQLTYPE_NVARCHAR ] { -9 } + Constant [ integer SQLSRV_SQLTYPE_BINARY ] { -2 } + Constant [ integer SQLSRV_SQLTYPE_VARBINARY ] { -3 } + Constant [ integer SQLSRV_PARAM_IN ] { 1 } + Constant [ integer SQLSRV_PARAM_OUT ] { 4 } + Constant [ integer SQLSRV_PARAM_INOUT ] { 2 } + Constant [ integer SQLSRV_TXN_READ_UNCOMMITTED ] { 1 } + Constant [ integer SQLSRV_TXN_READ_COMMITTED ] { 2 } + Constant [ integer SQLSRV_TXN_REPEATABLE_READ ] { 4 } + Constant [ integer SQLSRV_TXN_SERIALIZABLE ] { 8 } + Constant [ integer SQLSRV_TXN_SNAPSHOT ] { 32 } + Constant [ integer SQLSRV_SCROLL_NEXT ] { 1 } + Constant [ integer SQLSRV_SCROLL_PRIOR ] { 4 } + Constant [ integer SQLSRV_SCROLL_FIRST ] { 2 } + Constant [ integer SQLSRV_SCROLL_LAST ] { 3 } + Constant [ integer SQLSRV_SCROLL_ABSOLUTE ] { 5 } + Constant [ integer SQLSRV_SCROLL_RELATIVE ] { 6 } + Constant [ string SQLSRV_CURSOR_FORWARD ] { forward } + Constant [ string SQLSRV_CURSOR_STATIC ] { static } + Constant [ string SQLSRV_CURSOR_DYNAMIC ] { dynamic } + Constant [ string SQLSRV_CURSOR_KEYSET ] { keyset } + Constant [ string SQLSRV_CURSOR_CLIENT_BUFFERED ] { buffered } + } + + - Functions { + Function [ function sqlsrv_connect ] { + + - Parameters [2] { + Parameter #0 [ $server_name ] + Parameter #1 [ array $connection_info ] + } + } + Function [ function sqlsrv_close ] { + + - Parameters [1] { + Parameter #0 [ $conn ] + } + } + Function [ function sqlsrv_commit ] { + + - Parameters [1] { + Parameter #0 [ $conn ] + } + } + Function [ function sqlsrv_begin_transaction ] { + + - Parameters [1] { + Parameter #0 [ $conn ] + } + } + Function [ function sqlsrv_rollback ] { + + - Parameters [1] { + Parameter #0 [ $conn ] + } + } + Function [ function &sqlsrv_errors ] { + + - Parameters [1] { + Parameter #0 [ $errors_and_or_warnings ] + } + } + Function [ function sqlsrv_configure ] { + + - Parameters [2] { + Parameter #0 [ $setting ] + Parameter #1 [ $value ] + } + } + Function [ function sqlsrv_get_config ] { + + - Parameters [1] { + Parameter #0 [ $setting ] + } + } + Function [ function &sqlsrv_prepare ] { + + - Parameters [4] { + Parameter #0 [ $conn ] + Parameter #1 [ $tsql ] + Parameter #2 [ $params ] + Parameter #3 [ $options ] + } + } + Function [ function sqlsrv_execute ] { + + - Parameters [1] { + Parameter #0 [ $stmt ] + } + } + Function [ function &sqlsrv_query ] { + + - Parameters [4] { + Parameter #0 [ $conn ] + Parameter #1 [ $tsql ] + Parameter #2 [ $params ] + Parameter #3 [ $options ] + } + } + Function [ function sqlsrv_fetch ] { + + - Parameters [1] { + Parameter #0 [ $stmt ] + } + } + Function [ function &sqlsrv_get_field ] { + + - Parameters [3] { + Parameter #0 [ $stmt ] + Parameter #1 [ $field_index ] + Parameter #2 [ $get_as_type ] + } + } + Function [ function &sqlsrv_fetch_array ] { + + - Parameters [4] { + Parameter #0 [ $stmt ] + Parameter #1 [ $fetch_type ] + Parameter #2 [ $row ] + Parameter #3 [ $offset ] + } + } + Function [ function &sqlsrv_fetch_object ] { + + - Parameters [5] { + Parameter #0 [ $stmt ] + Parameter #1 [ $class_name ] + Parameter #2 [ $ctor_params ] + Parameter #3 [ $row ] + Parameter #4 [ $offset ] + } + } + Function [ function sqlsrv_has_rows ] { + + - Parameters [1] { + Parameter #0 [ $stmt ] + } + } + Function [ function sqlsrv_num_fields ] { + + - Parameters [1] { + Parameter #0 [ $stmt ] + } + } + Function [ function sqlsrv_next_result ] { + + - Parameters [1] { + Parameter #0 [ $stmt ] + } + } + Function [ function sqlsrv_num_rows ] { + + - Parameters [1] { + Parameter #0 [ $stmt ] + } + } + Function [ function sqlsrv_rows_affected ] { + + - Parameters [1] { + Parameter #0 [ $stmt ] + } + } + Function [ function SQLSRV_PHPTYPE_STREAM ] { + + - Parameters [1] { + Parameter #0 [ $encoding ] + } + } + Function [ function SQLSRV_PHPTYPE_STRING ] { + + - Parameters [1] { + Parameter #0 [ $encoding ] + } + } + Function [ function sqlsrv_client_info ] { + + - Parameters [1] { + Parameter #0 [ $conn ] + } + } + Function [ function sqlsrv_server_info ] { + + - Parameters [1] { + Parameter #0 [ $stmt ] + } + } + Function [ function sqlsrv_cancel ] { + + - Parameters [1] { + Parameter #0 [ $stmt ] + } + } + Function [ function sqlsrv_free_stmt ] { + + - Parameters [1] { + Parameter #0 [ $conn ] + } + } + Function [ function &sqlsrv_field_metadata ] { + + - Parameters [1] { + Parameter #0 [ $stmt ] + } + } + Function [ function sqlsrv_send_stream_data ] { + + - Parameters [1] { + Parameter #0 [ $stmt ] + } + } + Function [ function SQLSRV_SQLTYPE_BINARY ] { + + - Parameters [1] { + Parameter #0 [ $size ] + } + } + Function [ function SQLSRV_SQLTYPE_CHAR ] { + + - Parameters [1] { + Parameter #0 [ $size ] + } + } + Function [ function SQLSRV_SQLTYPE_DECIMAL ] { + + - Parameters [2] { + Parameter #0 [ $precision ] + Parameter #1 [ $scale ] + } + } + Function [ function SQLSRV_SQLTYPE_NCHAR ] { + + - Parameters [1] { + Parameter #0 [ $size ] + } + } + Function [ function SQLSRV_SQLTYPE_NUMERIC ] { + + - Parameters [2] { + Parameter #0 [ $precision ] + Parameter #1 [ $scale ] + } + } + Function [ function SQLSRV_SQLTYPE_NVARCHAR ] { + + - Parameters [1] { + Parameter #0 [ $size ] + } + } + Function [ function SQLSRV_SQLTYPE_VARBINARY ] { + + - Parameters [1] { + Parameter #0 [ $size ] + } + } + Function [ function SQLSRV_SQLTYPE_VARCHAR ] { + + - Parameters [1] { + Parameter #0 [ $size ] + } + } + } +} + diff --git a/php-sqlsrv.spec b/php-sqlsrv.spec index 08d3ae0..7380120 100644 --- a/php-sqlsrv.spec +++ b/php-sqlsrv.spec @@ -21,7 +21,7 @@ Name: %{?scl_prefix}php-sqlsrv Summary: Microsoft Drivers for PHP for SQL Server Version: 4.0.4 -Release: 2%{?dist}%{!?scl:%{!?nophptag:%(%{__php} -r 'echo ".".PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')}} +Release: 4%{?dist}%{!?scl:%{!?nophptag:%(%{__php} -r 'echo ".".PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')}} License: MIT Group: Development/Languages @@ -34,6 +34,8 @@ Patch0: %{extname}-pr153.patch Patch1: %{extname}-pr154.patch # https://github.com/Microsoft/msphpsql/pull/155 - PHP 7.1 Patch2: %{extname}-pr155.patch +# https://github.com/Microsoft/msphpsql/pull/157 - buffer overflow +Patch3: %{extname}-pr157.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: %{?scl_prefix}php-devel > 7 @@ -84,10 +86,28 @@ cd %{gh_project}-%{gh_commit} %patch0 -p1 -b .pr153 %patch1 -p1 -b .pr154 %patch2 -p1 -b .pr155 +%patch3 -p1 -b .pr157 cd .. mv %{gh_project}-%{gh_commit}/source NTS +cd NTS +sed -e '/VER_FILEVERSION_STR/s/4.0.0.0/%{version}/' \ + -i sqlsrv/version.h pdo_sqlsrv/version.h + +# Sanity check, really often broken +extver=$(sed -n '/#define VER_FILEVERSION_STR/{s/.* "//;s/".*$//;p}' sqlsrv/version.h) +if test "x${extver}" != "x%{version}%{?prever}"; then + : Error: Upstream extension version is ${extver}, expecting %{version}%{?prever}. + exit 1 +fi +extver=$(sed -n '/#define VER_FILEVERSION_STR/{s/.* "//;s/".*$//;p}' pdo_sqlsrv/version.h) +if test "x${extver}" != "x%{version}%{?prever}"; then + : Error: Upstream extension version is ${extver}, expecting %{version}%{?prever}. + exit 1 +fi +cd .. + cat << 'EOF' | tee %{ininame} ; Enable '%{summary}' extension module extension = %{extname}.so @@ -203,6 +223,10 @@ rm -rf %{buildroot} %changelog +* Mon Sep 19 2016 Remi Collet - 4.0.4-4 +- fix reported version +- open https://github.com/Microsoft/msphpsql/pull/157 - buffer overflow + * Fri Sep 16 2016 Remi Collet - 4.0.4-2 - build from sources - open https://github.com/Microsoft/msphpsql/pull/153 - build diff --git a/sqlsrv-pr157.patch b/sqlsrv-pr157.patch new file mode 100644 index 0000000..11818e6 --- /dev/null +++ b/sqlsrv-pr157.patch @@ -0,0 +1,45 @@ +From 5e27f69cbb66d7468645f337858c2b140274b4b6 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Mon, 19 Sep 2016 17:49:57 +0200 +Subject: [PATCH] fix buffer overflow, raising segfault in pdo driver + +--- + source/pdo_sqlsrv/pdo_dbh.cpp | 2 +- + source/pdo_sqlsrv/pdo_stmt.cpp | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source/pdo_sqlsrv/pdo_dbh.cpp b/source/pdo_sqlsrv/pdo_dbh.cpp +index 20f996b..079eca0 100644 +--- a/source/pdo_sqlsrv/pdo_dbh.cpp ++++ b/source/pdo_sqlsrv/pdo_dbh.cpp +@@ -361,7 +361,7 @@ struct pdo_dbh_methods pdo_sqlsrv_dbh_methods = { + { \ + pdo_sqlsrv_dbh* driver_dbh = reinterpret_cast( dbh->driver_data ); \ + driver_dbh->set_func( __FUNCTION__ ); \ +- int length = strlen(__FUNCTION__); \ ++ int length = strlen(__FUNCTION__)+strlen(": entering"); \ + char func[length+1]; \ + LOG( SEV_NOTICE, strcat(strcpy(func, __FUNCTION__), ": entering")); \ + } +diff --git a/source/pdo_sqlsrv/pdo_stmt.cpp b/source/pdo_sqlsrv/pdo_stmt.cpp +index dc989f4..4486404 100644 +--- a/source/pdo_sqlsrv/pdo_stmt.cpp ++++ b/source/pdo_sqlsrv/pdo_stmt.cpp +@@ -339,7 +339,7 @@ void stmt_option_emulate_prepares:: operator()( sqlsrv_stmt* stmt, stmt_option c + { \ + pdo_sqlsrv_stmt* driver_stmt = reinterpret_cast( stmt->driver_data ); \ + driver_stmt->set_func( __FUNCTION__ ); \ +- int length = strlen(__FUNCTION__); \ ++ int length = strlen(__FUNCTION__)+strlen(": entering"); \ + char func[length+1]; \ + LOG( SEV_NOTICE, strcat(strcpy(func, __FUNCTION__), ": entering")); \ + } +@@ -427,7 +427,7 @@ int pdo_sqlsrv_stmt_describe_col(pdo_stmt_t *stmt, int colno TSRMLS_DC) + #else + pdo_sqlsrv_stmt* driver_stmtt = reinterpret_cast( stmt->driver_data ); + driver_stmtt->set_func( __FUNCTION__ ); +- int length = strlen(__FUNCTION__); ++ int length = strlen(__FUNCTION__)+strlen(": entering"); + char func[length+1]; + LOG( SEV_NOTICE, strcat(strcpy(func, __FUNCTION__), ": entering")); + #endif -- cgit