Check column number before trying to fetch the value

Author: morozov

NEWS

@@ -15,6 +15,10 @@ PHP                                                                        NEWS
   . Fixed bug #77200 (imagecropauto(…, GD_CROP_SIDES) crops left but not right).
     (cmb)
 
+- PDO:
+  . Handle invalid index passed to PDOStatement::fetchColumn() as error. (Sergei
+    Morozov)
+
 - Sockets:
   . Fixed bug #77136 (Unsupported IPV6_RECVPKTINFO constants on macOS).
     (Mizunashi Mana)

ext/pdo/pdo_stmt.c

@@ -532,6 +532,13 @@ static inline void fetch_value(pdo_stmt_t *stmt, zval *dest, int colno, int *typ
 	int caller_frees = 0;
 	int type, new_type;
 
+	if (colno < 0 || colno >= stmt->column_count) {
+		pdo_raise_impl_error(stmt->dbh, stmt, "HY000", "Invalid column index");
+		ZVAL_FALSE(dest);
+
+		return;
+	}
+
 	col = &stmt->columns[colno];
 	type = PDO_PARAM_TYPE(col->param_type);
 	new_type =  type_override ? (int)PDO_PARAM_TYPE(*type_override) : type;

ext/pdo/tests/pdo_038.phpt

@@ -0,0 +1,45 @@
+--TEST--
+PDOStatement::fetchColumn() invalid column index
+--SKIPIF--
+<?php # vim:ft=php
+if (!extension_loaded('pdo')) die('skip');
+$dir = getenv('REDIR_TEST_DIR');
+if (false == $dir) die('skip no driver');
+require_once $dir . 'pdo_test.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+if (getenv('REDIR_TEST_DIR') === false) putenv('REDIR_TEST_DIR='.dirname(__FILE__) . '/../../pdo/tests/');
+require_once getenv('REDIR_TEST_DIR') . 'pdo_test.inc';
+
+function fetchColumn($stmt, $index) {
+    $stmt->execute();
+    return $stmt->fetchColumn($index);
+}
+
+$conn  = PDOTest::factory();
+$query = 'SELECT 1';
+
+switch ($conn->getAttribute(PDO::ATTR_DRIVER_NAME)) {
+    case 'oci':
+        $query .= ' FROM DUAL';
+        break;
+    case 'firebird':
+        $query .= ' FROM RDB$DATABASE';
+        break;
+}
+
+$stmt = $conn->prepare($query);
+
+var_dump(fetchColumn($stmt, -1));
+var_dump(fetchColumn($stmt, 0));
+var_dump(fetchColumn($stmt, 1));
+?>
+--EXPECTF--
+Warning: PDOStatement::fetchColumn(): SQLSTATE[HY000]: General error: Invalid column index in %s
+bool(false)
+string(1) "1"
+
+Warning: PDOStatement::fetchColumn(): SQLSTATE[HY000]: General error: Invalid column index in %s
+bool(false)