Skip to content

ext/pdo_sqlite: PDO::sqliteCreateCollection return type strenghtening. #18799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
+18 −6
Closed

ext/pdo_sqlite: PDO::sqliteCreateCollection return type strenghtening. #18799

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4494e12
ext/pdo_sqlite: PDO::sqliteCreateCollection return type strenghtening.
devnexen Jun 7, 2025
7f42ddc
add test
devnexen Jun 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions ext/pdo_sqlite/pdo_sqlite.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -385,14 +385,14 @@ static int php_sqlite_collation_callback(void *context, int string1_len, const v
zend_type_error("%s(): Return value of the collation callback must be of type int, %s returned",
ZSTR_VAL(func_name), zend_zval_value_name(&retval));
zend_string_release(func_name);
zval_ptr_dtor(&retval);
return FAILURE;
ret = FAILURE;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change in this file is wrong, why did you change this?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In particular, you're accessing the zval as if it were a long below, but that's not the case. This means you're either interpreting garbage bytes or uninit memory.

}
if (Z_LVAL(retval) > 0) {
ret = 1;
} else if (Z_LVAL(retval) < 0) {
ret = -1;
}
Comment on lines 390 to 394
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Follow-up: Could we not use ZEND_NORMALIZE_BOOL here rather than doing it "manually"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not a bad idea !

zval_ptr_dtor(&retval);
}

return ret;
Expand Down
12 changes: 8 additions & 4 deletions ext/pdo_sqlite/sqlite_driver.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,9 +483,16 @@ static int php_sqlite3_collation_callback(void *context, int string1_len, const

zend_call_known_fcc(&collation->callback, &retval, /* argc */ 2, zargs, /* named_params */ NULL);

zval_ptr_dtor(&zargs[0]);
zval_ptr_dtor(&zargs[1]);

if (!Z_ISUNDEF(retval)) {
if (Z_TYPE(retval) != IS_LONG) {
convert_to_long(&retval);
zend_string *func_name = get_active_function_or_method_name();
zend_type_error("%s(): Return value of the collation callback must be of type int, %s returned",
ZSTR_VAL(func_name), zend_zval_value_name(&retval));
zend_string_release(func_name);
ret = FAILURE;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similarly, this is also wrong

}
if (Z_LVAL(retval) > 0) {
ret = 1;
Expand All @@ -495,9 +502,6 @@ static int php_sqlite3_collation_callback(void *context, int string1_len, const
zval_ptr_dtor(&retval);
}

zval_ptr_dtor(&zargs[0]);
zval_ptr_dtor(&zargs[1]);

return ret;
}

Expand Down
8 changes: 8 additions & 0 deletions ext/pdo_sqlite/tests/pdo_sqlite_createcollation.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,13 @@ foreach ($result as $row) {
echo $row['name'] . "\n";
}

$db->sqliteCreateCollation('MYCOLLATEBAD', function($a, $b) { return $a; });

try {
$db->query('SELECT name FROM test_pdo_sqlite_createcollation ORDER BY name COLLATE MYCOLLATEBAD');
} catch (\TypeError $e) {
echo $e->getMessage(), PHP_EOL;
}
?>
--EXPECT--
1
Expand All @@ -32,3 +39,4 @@ foreach ($result as $row) {
1
10
2
PDO::query(): Return value of the collation callback must be of type int, string returned
Loading