1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From 5e27f69cbb66d7468645f337858c2b140274b4b6 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Mon, 19 Sep 2016 17:49:57 +0200
Subject: [PATCH] fix buffer overflow, raising segfault in pdo driver
---
source/pdo_sqlsrv/pdo_dbh.cpp | 2 +-
source/pdo_sqlsrv/pdo_stmt.cpp | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/source/pdo_sqlsrv/pdo_dbh.cpp b/source/pdo_sqlsrv/pdo_dbh.cpp
index 20f996b..079eca0 100644
--- a/source/pdo_sqlsrv/pdo_dbh.cpp
+++ b/source/pdo_sqlsrv/pdo_dbh.cpp
@@ -361,7 +361,7 @@ struct pdo_dbh_methods pdo_sqlsrv_dbh_methods = {
{ \
pdo_sqlsrv_dbh* driver_dbh = reinterpret_cast<pdo_sqlsrv_dbh*>( dbh->driver_data ); \
driver_dbh->set_func( __FUNCTION__ ); \
- int length = strlen(__FUNCTION__); \
+ int length = strlen(__FUNCTION__)+strlen(": entering"); \
char func[length+1]; \
LOG( SEV_NOTICE, strcat(strcpy(func, __FUNCTION__), ": entering")); \
}
diff --git a/source/pdo_sqlsrv/pdo_stmt.cpp b/source/pdo_sqlsrv/pdo_stmt.cpp
index dc989f4..4486404 100644
--- a/source/pdo_sqlsrv/pdo_stmt.cpp
+++ b/source/pdo_sqlsrv/pdo_stmt.cpp
@@ -339,7 +339,7 @@ void stmt_option_emulate_prepares:: operator()( sqlsrv_stmt* stmt, stmt_option c
{ \
pdo_sqlsrv_stmt* driver_stmt = reinterpret_cast<pdo_sqlsrv_stmt*>( stmt->driver_data ); \
driver_stmt->set_func( __FUNCTION__ ); \
- int length = strlen(__FUNCTION__); \
+ int length = strlen(__FUNCTION__)+strlen(": entering"); \
char func[length+1]; \
LOG( SEV_NOTICE, strcat(strcpy(func, __FUNCTION__), ": entering")); \
}
@@ -427,7 +427,7 @@ int pdo_sqlsrv_stmt_describe_col(pdo_stmt_t *stmt, int colno TSRMLS_DC)
#else
pdo_sqlsrv_stmt* driver_stmtt = reinterpret_cast<pdo_sqlsrv_stmt*>( stmt->driver_data );
driver_stmtt->set_func( __FUNCTION__ );
- int length = strlen(__FUNCTION__);
+ int length = strlen(__FUNCTION__)+strlen(": entering");
char func[length+1];
LOG( SEV_NOTICE, strcat(strcpy(func, __FUNCTION__), ": entering"));
#endif
|
