From 5785ff77288ba13af68605c858cde13644c440bb Mon Sep 17 00:00:00 2001 From: David Carlier Date: Thu, 15 Jan 2026 23:05:18 +0000 Subject: [PATCH] exp/pgsql: insert/update query string build possible UB fix. From PQescapeIdentifier() docs ``` A terminating zero byte is not required, and should not be counted in length ``` --- NEWS | 4 ++++ ext/pgsql/pgsql.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 39f1d4e7db3a7..06ebe601478e3 100644 --- a/NEWS +++ b/NEWS @@ -28,6 +28,10 @@ PHP NEWS . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory). (ndossche) +- PGSQL: + . Fixed INSERT/UPDATE queries building with PQescapeIdentifier() and possible + UB. (David Carlier) + - Readline: . Fixed bug GH-18139 (Memory leak when overriding some settings via readline_info()). (ndossche) diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c index 1fbda456c3bbe..80aacd5443eaa 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -5632,7 +5632,7 @@ PHP_PGSQL_API zend_result php_pgsql_insert(PGconn *pg_link, const zend_string *t goto cleanup; } if (opt & PGSQL_DML_ESCAPE) { - tmp = PQescapeIdentifier(pg_link, ZSTR_VAL(fld), ZSTR_LEN(fld) + 1); + tmp = PQescapeIdentifier(pg_link, ZSTR_VAL(fld), ZSTR_LEN(fld)); if (tmp == NULL) { php_error_docref(NULL, E_NOTICE, "Failed to escape field '%s'", ZSTR_VAL(fld)); goto cleanup; @@ -5817,7 +5817,7 @@ static inline int build_assignment_string(PGconn *pg_link, smart_str *querystr, return -1; } if (opt & PGSQL_DML_ESCAPE) { - char *tmp = PQescapeIdentifier(pg_link, ZSTR_VAL(fld), ZSTR_LEN(fld) + 1); + char *tmp = PQescapeIdentifier(pg_link, ZSTR_VAL(fld), ZSTR_LEN(fld)); if (tmp == NULL) { php_error_docref(NULL, E_NOTICE, "Failed to escape field '%s'", ZSTR_VAL(fld)); return -1;