Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk())

2 files changed, 38 insertions, 2 deletions

diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
index 58ab5e80a1..16319a7341 100644
--- a/ext/sqlite3/sqlite3.c
+++ b/ext/sqlite3/sqlite3.c
@@ -287,7 +287,11 @@ PHP_METHOD(sqlite3, lastErrorCode)
 		return;
 	}
 
-	RETURN_LONG(sqlite3_errcode(db_obj->db));
+	if (db_obj->initialised) {
+		RETURN_LONG(sqlite3_errcode(db_obj->db));
+	} else {
+		RETURN_LONG(0);
+	}
 }
 /* }}} */
 
@@ -305,7 +309,11 @@ PHP_METHOD(sqlite3, lastErrorMsg)
 		return;
 	}
 
-	RETVAL_STRING((char *)sqlite3_errmsg(db_obj->db), 1);
+	if (db_obj->initialised) {
+		RETURN_STRING((char *)sqlite3_errmsg(db_obj->db), 1);
+	} else {
+		RETURN_EMPTY_STRING();
+	}
 }
 /* }}} */
 
diff --git a/ext/sqlite3/tests/bug69972.phpt b/ext/sqlite3/tests/bug69972.phpt
new file mode 100644
index 0000000000..539ebd2696
--- /dev/null
+++ b/ext/sqlite3/tests/bug69972.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk())
+--SKIPIF--
+<?php
+if (!extension_loaded('sqlite3')) die('skip');
+?>
+--FILE--
+<?php
+$db = new SQLite3(':memory:');
+echo "SELECTING from invalid table\n";
+$result = $db->query("SELECT * FROM non_existent_table");
+echo "Closing database\n";
+var_dump($db->close());
+echo "Done\n";
+
+// Trigger the use-after-free
+echo "Error Code: " . $db->lastErrorCode() . "\n";
+echo "Error Msg: " . $db->lastErrorMsg() . "\n";
+?>
+--EXPECTF--
+SELECTING from invalid table
+
+Warning: SQLite3::query(): Unable to prepare statement: 1, no such table: non_existent_table in %sbug69972.php on line %d
+Closing database
+bool(true)
+Done
+Error Code: 0
+Error Msg: