Skip to content

Fix #44618: Fetching may rely on uninitialized data #6281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cmb69 wants to merge 3 commits into from
Closed

Fix #44618: Fetching may rely on uninitialized data #6281

cmb69 wants to merge 3 commits into from

Conversation

@cmb69
Copy link
Member

@cmb69 cmb69 commented Oct 6, 2020

Unless SQLGetData() returns SQL_SUCCESS or SQL_SUCCESS_WITH_INFO,
the StrLen_or_IndPtr output argument is not guaranteed to be properly
set. Thus we handle retrieval failure other than SQL_ERROR by
silently yielding false for those column values.

Alternative handling of retrieval failure would be to raise E_WARNING as well, and/or let the whole odbc_fetch_into()/odbc_fetch_array() fail.

I don't really mind how exactly we solve this, but that bug needs to be fixed.

@cmb69
Fix #44618: Fetching may rely on uninitialized data
f4f6aaf 
Unless `SQLGetData()` returns `SQL_SUCCESS` or `SQL_SUCCESS_WITH_INFO`,
the `StrLen_or_IndPtr` output argument is not guaranteed to be properly
set.  Thus we handle retrieval failure other than `SQL_ERROR` by
silently yielding `false` for those column values.
@cmb69 cmb69 added the Bug label Oct 6, 2020
nikic
nikic reviewed Oct 6, 2020
View reviewed changes
@nikic
Copy link
Member

nikic commented Oct 6, 2020

Unless SQLGetData() returns SQL_SUCCESS or SQL_SUCCESS_WITH_INFO,
the StrLen_or_IndPtr output argument is not guaranteed to be properly
set. Thus we handle retrieval failure other than SQL_ERROR by
silently yielding false for those column values.

What is the actual return value we end up handling here?

@cmb69
Copy link
Member Author

cmb69 commented Oct 6, 2020

What is the actual return value we end up handling here?

In this case, it is SQL_NO_DATA, but SQLGetData() may also return SQL_STILL_EXECUTING, and theoretically SQL_INVALID_HANDLE which have the same issue. And maybe some drivers/driver managers may return other values as well. In any case, these failures do not provide further info in an associated SQLSTATE value.

@nikic
Copy link
Member

nikic commented Oct 6, 2020

What is the actual return value we end up handling here?

In this case, it is SQL_NO_DATA, but SQLGetData() may also return SQL_STILL_EXECUTING, and theoretically SQL_INVALID_HANDLE which have the same issue. And maybe some drivers/driver managers may return other values as well. In any case, these failures do not provide further info in an associated SQLSTATE value.

Independently of the problem you're trying to fix here ... why are we getting SQL_NO_DATA? The PHP code looks to be doing something sensible, why do we fail to fetch the text1 column?

@cmb69
Copy link
Member Author

cmb69 commented Oct 6, 2020

This connection requests use of the (deprecated) ODBC cursor library, which implements SQLGetData() in a limited way. But even when not using the ODBC cursor library, there can be issues with our mixing of SQLBindCol() and SQLGetData() (see https://bugs.php.net/76732#1601901051).

@cmb69
Copy link
Member Author

cmb69 commented Oct 26, 2020

Any objections to merge this?

@nikic
Copy link
Member

nikic commented Oct 26, 2020

My 2c here is that we should treat these cases as close to errors as we can. I understand we can't use odbc_sql_error(), so we should explicitly throw a warning and return false. Otherwise we will return corrupted data, and I doubt that anyone who uses these APIs will have appropriate checks in place to recognize false values in individual columns.

@cmb69
Copy link
Member Author

cmb69 commented Oct 28, 2020

Good point. Thanks! Maybe the error message can be improved (cc @kocsismate). I've chosen the column numbers to start at 1, because that is the convention for odbc_result() anyway.

nikic
nikic approved these changes Oct 28, 2020
View reviewed changes
Copy link
Member

@nikic nikic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable to me!

kocsismate
kocsismate reviewed Oct 29, 2020
View reviewed changes
@php-pulls php-pulls closed this in c21e901 Oct 29, 2020
@cmb69 cmb69 deleted the cmb/44618 branch October 29, 2020 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kocsismate kocsismate kocsismate left review comments

@nikic nikic nikic approved these changes

Assignees

No one assigned

Labels

Bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cmb69 @nikic @kocsismate