diff options
| author | Ilia Alshanetsky <iliaa@php.net> | 2011-11-15 18:02:58 +0000 |
|---|---|---|
| committer | Ilia Alshanetsky <iliaa@php.net> | 2011-11-15 18:02:58 +0000 |
| commit | 32c4c239c0c499708287c8e9a472823c56e5b3de (patch) | |
| tree | d1090090cd4d4ee143964946c6b79d8a2a955902 | |
| parent | 1f81004be268c2918ecf6ca996461c7b0c152a20 (diff) | |
| download | php-git-32c4c239c0c499708287c8e9a472823c56e5b3de.tar.gz | |
Fixed bug #60244 (pg_fetch_* functions do not validate that row param is >0).
| -rw-r--r-- | ext/pgsql/pgsql.c | 4 | ||||
| -rw-r--r-- | ext/pgsql/tests/bug60244.phpt | 57 |
2 files changed, 61 insertions, 0 deletions
diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c index a82271776c..8f979b7391 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -2452,6 +2452,10 @@ static void php_pgsql_fetch_hash(INTERNAL_FUNCTION_PARAMETERS, long result_type, } else { convert_to_long(zrow); row = Z_LVAL_P(zrow); + if (row < 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The row parameter must be greater or equal to zero"); + RETURN_FALSE; + } } use_row = ZEND_NUM_ARGS() > 1 && row != -1; diff --git a/ext/pgsql/tests/bug60244.phpt b/ext/pgsql/tests/bug60244.phpt new file mode 100644 index 0000000000..94568b6031 --- /dev/null +++ b/ext/pgsql/tests/bug60244.phpt @@ -0,0 +1,57 @@ +--TEST-- +Bug #60244 (pg_fetch_* functions do not validate that row param is >0) +--SKIPIF-- +<?php +include("skipif.inc"); +?> +--FILE-- +<?php + +include 'config.inc'; + +$db = pg_connect($conn_str); +$result = pg_query("select 'a' union select 'b'"); + +var_dump(pg_fetch_array($result, -1)); +var_dump(pg_fetch_assoc($result, -1)); +var_dump(pg_fetch_object($result, -1)); +var_dump(pg_fetch_row($result, -1)); + +var_dump(pg_fetch_array($result, 0)); +var_dump(pg_fetch_assoc($result, 0)); +var_dump(pg_fetch_object($result, 0)); +var_dump(pg_fetch_row($result, 0)); + +pg_close($db); + +?> +--EXPECTF-- +Warning: pg_fetch_array(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) + +Warning: pg_fetch_assoc(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) + +Warning: pg_fetch_object(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) + +Warning: pg_fetch_row(): The row parameter must be greater or equal to zero in %sbug60244.php on line %d +bool(false) +array(2) { + [0]=> + string(1) "a" + ["?column?"]=> + string(1) "a" +} +array(1) { + ["?column?"]=> + string(1) "a" +} +object(stdClass)#1 (1) { + ["?column?"]=> + string(1) "a" +} +array(1) { + [0]=> + string(1) "a" +} |