78 lines
2.5 KiB
Diff
78 lines
2.5 KiB
Diff
From 310b17f5c8938389b1dbd7d8ff5a8144bfb9a351 Mon Sep 17 00:00:00 2001
|
|
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
|
Date: Tue, 17 May 2022 12:59:23 +0200
|
|
Subject: [PATCH 1/3] Fix #81720: Uninitialized array in pg_query_params()
|
|
leading to RCE
|
|
|
|
We must not free parameters which we haven't initialized yet.
|
|
|
|
We also fix the not directly related issue, that we checked for the
|
|
wrong value being `NULL`, potentially causing a segfault.
|
|
|
|
(cherry picked from commit 55f6895f4b4c677272fd4ee1113acdbd99c4b5ab)
|
|
(cherry picked from commit 6f979c832c861fb32e2dbad5e0cc29edcee7c500)
|
|
---
|
|
ext/pgsql/pgsql.c | 4 ++--
|
|
ext/pgsql/tests/bug81720.phpt | 27 +++++++++++++++++++++++++++
|
|
2 files changed, 29 insertions(+), 2 deletions(-)
|
|
create mode 100644 ext/pgsql/tests/bug81720.phpt
|
|
|
|
diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
|
|
index c97c600b66..8bc7568056 100644
|
|
--- a/ext/pgsql/pgsql.c
|
|
+++ b/ext/pgsql/pgsql.c
|
|
@@ -1988,7 +1988,7 @@ PHP_FUNCTION(pg_query_params)
|
|
if (Z_TYPE(tmp_val) != IS_STRING) {
|
|
php_error_docref(NULL, E_WARNING,"Error converting parameter");
|
|
zval_ptr_dtor(&tmp_val);
|
|
- _php_pgsql_free_params(params, num_params);
|
|
+ _php_pgsql_free_params(params, i);
|
|
RETURN_FALSE;
|
|
}
|
|
params[i] = estrndup(Z_STRVAL(tmp_val), Z_STRLEN(tmp_val));
|
|
@@ -5188,7 +5188,7 @@ PHP_FUNCTION(pg_send_execute)
|
|
if (Z_TYPE(tmp_val) != IS_STRING) {
|
|
php_error_docref(NULL, E_WARNING,"Error converting parameter");
|
|
zval_ptr_dtor(&tmp_val);
|
|
- _php_pgsql_free_params(params, num_params);
|
|
+ _php_pgsql_free_params(params, i);
|
|
RETURN_FALSE;
|
|
}
|
|
params[i] = estrndup(Z_STRVAL(tmp_val), Z_STRLEN(tmp_val));
|
|
diff --git a/ext/pgsql/tests/bug81720.phpt b/ext/pgsql/tests/bug81720.phpt
|
|
new file mode 100644
|
|
index 0000000000..d79f1fcdd6
|
|
--- /dev/null
|
|
+++ b/ext/pgsql/tests/bug81720.phpt
|
|
@@ -0,0 +1,27 @@
|
|
+--TEST--
|
|
+Bug #81720 (Uninitialized array in pg_query_params() leading to RCE)
|
|
+--SKIPIF--
|
|
+<?php include("skipif.inc"); ?>
|
|
+--FILE--
|
|
+<?php
|
|
+include('config.inc');
|
|
+
|
|
+$conn = pg_connect($conn_str);
|
|
+
|
|
+try {
|
|
+ pg_query_params($conn, 'SELECT $1, $2', [1, new stdClass()]);
|
|
+} catch (Throwable $ex) {
|
|
+ echo $ex->getMessage(), PHP_EOL;
|
|
+}
|
|
+
|
|
+try {
|
|
+ pg_send_prepare($conn, "my_query", 'SELECT $1, $2');
|
|
+ pg_get_result($conn);
|
|
+ pg_send_execute($conn, "my_query", [1, new stdClass()]);
|
|
+} catch (Throwable $ex) {
|
|
+ echo $ex->getMessage(), PHP_EOL;
|
|
+}
|
|
+?>
|
|
+--EXPECT--
|
|
+Object of class stdClass could not be converted to string
|
|
+Object of class stdClass could not be converted to string
|
|
--
|
|
2.35.3
|
|
|
