Merge branch 'pull-request/2532' into PHP-7.0

* pull-request/2532:
  Add bug #74625 to package.xml
  Add IN bind case to bug74625.phpt
  Fixed bug #74625 (Integer overflow in oci_bind_array_by_name).

Author: cjbj

NEWS

@@ -26,7 +26,8 @@ PHP                                                                        NEWS
     CVE-2017-9228, CVE-2017-9229) (Remi, Mamoru TASAKA)
 
 - OCI8:
- . Add TAF callback (PR #2459). (KoenigsKind)
+  . Add TAF callback (PR #2459). (KoenigsKind)
+  . Fixed bug #74625 (Integer overflow in oci_bind_array_by_name). (Ingmar Runge)
 
 - Opcache:
   . Fixed bug #74663 (Segfault with opcache.memory_protect and
@@ -2527,4 +2528,3 @@ PHP                                                                        NEWS
   . Update bundled libzip to 1.0.1. (Remi, Anatol)
   . Fixed bug #67161 (ZipArchive::getStream() returns NULL for certain file).
     (Christoph M. Becker)
-

ext/oci8/oci8_statement.c

@@ -38,6 +38,13 @@
 #include "php_oci8.h"
 #include "php_oci8_int.h"
 
+#if defined(OCI_MAJOR_VERSION) && (OCI_MAJOR_VERSION > 10) && \
+	(defined(__x86_64__) || defined(__LP64__) || defined(_LP64) || defined(_WIN64))
+typedef ub8 oci_phpsized_int;
+#else
+typedef ub4 oci_phpsized_int;
+#endif
+
 /* {{{ php_oci_statement_create()
  Create statemend handle and allocate necessary resources */
 php_oci_statement *php_oci_statement_create(php_oci_connection *connection, char *query, int query_len)
@@ -997,10 +1004,10 @@ int php_oci_bind_post_exec(zval *data)
 				for (i = 0; i < (int) bind->array.current_length; i++) {
 					if ((i < (int) bind->array.old_length) && (entry = zend_hash_get_current_data(hash)) != NULL) {
 						zval_dtor(entry);
-						ZVAL_LONG(entry, ((ub4 *)(bind->array.elements))[i]);
+						ZVAL_LONG(entry, ((oci_phpsized_int *)(bind->array.elements))[i]);
 						zend_hash_move_forward(hash);
 					} else {
-						add_next_index_long(bind->zval, ((ub4 *)(bind->array.elements))[i]);
+						add_next_index_long(bind->zval, ((oci_phpsized_int *)(bind->array.elements))[i]);
 					}
 				}
 				break;
@@ -1153,14 +1160,8 @@ int php_oci_bind_by_name(php_oci_statement *statement, char *name, size_t name_l
 				return 1;
 			}
 			convert_to_long(param);
-#if defined(OCI_MAJOR_VERSION) && (OCI_MAJOR_VERSION > 10) &&			\
-	(defined(__x86_64__) || defined(__LP64__) || defined(_LP64) || defined(_WIN64)) 
-			bind_data = (ub8 *)&Z_LVAL_P(param);
-			value_sz = sizeof(ub8);
-#else
-			bind_data = (ub4 *)&Z_LVAL_P(param);
-			value_sz = sizeof(ub4);
-#endif
+			bind_data = (oci_phpsized_int *)&Z_LVAL_P(param);
+			value_sz = sizeof(oci_phpsized_int);
 			mode = OCI_DEFAULT;
 			break;
 
@@ -1783,25 +1784,25 @@ php_oci_bind *php_oci_bind_array_helper_number(zval *var, zend_long max_table_le
 
 	bind = emalloc(sizeof(php_oci_bind));
 	ZVAL_UNDEF(&bind->parameter);
-	bind->array.elements		= (ub4 *)safe_emalloc(max_table_length, sizeof(ub4), 0);
+	bind->array.elements		= (oci_phpsized_int *)safe_emalloc(max_table_length, sizeof(oci_phpsized_int), 0);
 	bind->array.current_length	= zend_hash_num_elements(Z_ARRVAL_P(var));
 	bind->array.old_length		= bind->array.current_length;
-	bind->array.max_length		= sizeof(ub4);
+	bind->array.max_length		= sizeof(oci_phpsized_int);
 	bind->array.element_lengths	= safe_emalloc(max_table_length, sizeof(ub2), 0);
 	memset(bind->array.element_lengths, 0, max_table_length * sizeof(ub2));
 	bind->array.indicators		= NULL;
 
 	zend_hash_internal_pointer_reset(hash);
 	for (i = 0; i < max_table_length; i++) {
 		if (i < bind->array.current_length) {
-			bind->array.element_lengths[i] = sizeof(ub4);
+			bind->array.element_lengths[i] = sizeof(oci_phpsized_int);
 		}
 		if ((i < bind->array.current_length) && (entry = zend_hash_get_current_data(hash)) != NULL) {
 			convert_to_long_ex(entry);
-			((ub4 *)bind->array.elements)[i] = (ub4) Z_LVAL_P(entry);
+			((oci_phpsized_int *)bind->array.elements)[i] = (oci_phpsized_int) Z_LVAL_P(entry);
 			zend_hash_move_forward(hash);
 		} else {
-			((ub4 *)bind->array.elements)[i] = 0;
+			((oci_phpsized_int *)bind->array.elements)[i] = 0;
 		}
 	}
 	zend_hash_internal_pointer_reset(hash);

ext/oci8/package.xml

@@ -61,6 +61,7 @@ Interoperability Support" (ID 207303.1) for details.
   <notes>
 This version is for PHP 7 only.
 Added TAF callback support (PR #2459, KoenigsKind) 
+Fixed bug #74625 (Integer overflow in oci_bind_array_by_name). (Ingmar Runge)
   </notes>
  <contents>
   <dir name="/">
@@ -164,6 +165,7 @@ Added TAF callback support (PR #2459, KoenigsKind)
     <file name="bug71422.phpt" role="test" />
     <file name="bug71600.phpt" role="test" />
     <file name="bug72524.phpt" role="test" />
+    <file name="bug74625.phpt" role="test" />
     <file name="clientversion.phpt" role="test" />
     <file name="close.phpt" role="test" />
     <file name="coll_001.phpt" role="test" />

ext/oci8/tests/bug74625.phpt

@@ -0,0 +1,65 @@
+--TEST--
+Bug #74625 (Integer overflow in oci_bind_array_by_name)
+--SKIPIF--
+<?php
+if (!extension_loaded('oci8')) die ("skip no oci8 extension");
+?>
+--FILE--
+<?php
+require(dirname(__FILE__).'/connect.inc');
+
+// Initialization
+
+$stmtarray = array(
+        "CREATE TABLE bug74625_tab (NAME NUMBER)",
+        "CREATE OR REPLACE PACKAGE PKG74625 AS
+          TYPE ARRTYPE IS TABLE OF NUMBER INDEX BY BINARY_INTEGER;
+          PROCEDURE iobind(c1 IN OUT ARRTYPE);
+         END PKG74625;",
+        "CREATE OR REPLACE PACKAGE BODY PKG74625 AS
+          PROCEDURE iobind(c1 IN OUT ARRTYPE) IS
+          BEGIN
+           FOR i IN 1..5 LOOP
+            c1(i) := c1(i) * 2;
+           END LOOP;
+          END iobind;
+         END PKG74625;"
+);
+
+oci8_test_sql_execute($c, $stmtarray);
+
+$statement = oci_parse($c, "BEGIN pkg74625.iobind(:c1); END;");
+
+$array = Array(-1,-2,-3,-4,-5);
+
+oci_bind_array_by_name($statement, ":c1", $array, 5, -1, SQLT_INT);
+
+oci_execute($statement);
+
+var_dump($array);
+
+// Cleanup
+$stmtarray = array(
+    "DROP TABLE bug74625_tab",
+    "DROP PACKAGE PKG74625"
+);
+
+oci8_test_sql_execute($c, $stmtarray);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+array(5) {
+  [0]=>
+  int(-2)
+  [1]=>
+  int(-4)
+  [2]=>
+  int(-6)
+  [3]=>
+  int(-8)
+  [4]=>
+  int(-10)
+}
+===DONE===