- Merge: Fixed possible crash when calling SQLiteDatabase::{ArrayQuery, SingleQuery} methods using Reflection

2 files changed, 24 insertions, 1 deletions

diff --git a/ext/sqlite/sqlite.c b/ext/sqlite/sqlite.c
index f9b47c9a74..d8c5f6a850 100644
--- a/ext/sqlite/sqlite.c
+++ b/ext/sqlite/sqlite.c
@@ -129,7 +129,7 @@ PHP_INI_END()
 #define RES_FROM_OBJECT(res, object) RES_FROM_OBJECT_RESTORE_ERH(res, object, NULL)
 
 #define PHP_SQLITE_EMPTY_QUERY \
-	if (!sql_len) { \
+	if (!sql_len || !*sql) { \
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot execute empty query."); \
 		RETURN_FALSE; \
 	}
diff --git a/ext/sqlite/tests/sqlitedatabase_arrayquery.phpt b/ext/sqlite/tests/sqlitedatabase_arrayquery.phpt
new file mode 100644
index 0000000000..1e3084cebe
--- /dev/null
+++ b/ext/sqlite/tests/sqlitedatabase_arrayquery.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Testing SQLiteDatabase::ArrayQuery with NULL-byte string
+--SKIPIF--
+<?php
+if (!extension_loaded("sqlite")) print "skip";
+?>
+--FILE--
+<?php
+
+$method = new ReflectionMethod('sqlitedatabase::arrayquery');
+
+$class = $method->getDeclaringClass()->newInstanceArgs(array(':memory:'));
+
+$p = "\0";
+
+$method->invokeArgs($class, array_fill(0, 2, $p));
+$method->invokeArgs($class, array_fill(0, 1, $p));
+
+?>
+--EXPECTF--
+Warning: SQLiteDatabase::arrayQuery() expects parameter 2 to be long, string given in %s on line %d
+
+Warning: SQLiteDatabase::arrayQuery(): Cannot execute empty query. in %s on line %d