From 21ddecd6a3b2adf7dcaf7852411b4aefc2e3ca06 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maximilian=20Kr=C3=B6g?= <maxi_kroeg@web.de>
Date: Sat, 18 Jan 2025 22:57:28 -0500
Subject: [PATCH 1/3] =?UTF-8?q?Fix=20quadratic=20complexity=20of=20certain?=
 =?UTF-8?q?=20queries,=20thanks=20to=20work=20by=20Maximilian=20Kr=C3=B6g?=
 =?UTF-8?q?=20<maxi=5Fkroeg@web.de>.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is phpMyAdmin security issue #359.

Signed-off-by: Isaac Bennetch <bennetch@gmail.com>
---
 CHANGELOG.md  | 1 +
 src/Lexer.php | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e90099a1..281067f6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Fixed
 
 - Add "RECURSIVE" on build() for "WITH RECURSIVE" on the WithStatement class (#605)
+- Fix for quadratic complexity in certain queries, which could have caused long execution times. Thanks to Maximilian Krög (GitHub user MoonE) for this security-related fix.
 
 ## [5.10.2] - 2024-12-05
 
diff --git a/src/Lexer.php b/src/Lexer.php
index 782dda66..0e34bc38 100644
--- a/src/Lexer.php
+++ b/src/Lexer.php
@@ -892,6 +892,7 @@ public function parseNumber()
                 ) {
                     // A number can't be directly followed by a letter
                     $state = -$state;
+                    break;
                 } elseif ($this->str[$this->last] < '0' || $this->str[$this->last] > '9') {
                     // Just digits and `.`, `e` and `E` are valid characters.
                     break;
@@ -906,6 +907,7 @@ public function parseNumber()
                 ) {
                     // A number can't be directly followed by a letter
                     $state = -$state;
+                    break;
                 } elseif ($this->str[$this->last] < '0' || $this->str[$this->last] > '9') {
                     // Just digits, `e` and `E` are valid characters.
                     break;
@@ -923,6 +925,7 @@ public function parseNumber()
                 ) {
                     // A number can't be directly followed by a letter
                     $state = -$state;
+                    break;
                 } else {
                     break;
                 }

From 5346664973d10cf1abff20837fb1183f3c11a055 Mon Sep 17 00:00:00 2001
From: Isaac Bennetch <bennetch@gmail.com>
Date: Sat, 18 Jan 2025 23:06:02 -0500
Subject: [PATCH 2/3] Prepare to release 5.10.3

Signed-off-by: Isaac Bennetch <bennetch@gmail.com>
---
 CHANGELOG.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 281067f6..27c81c79 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,11 +1,11 @@
 # Change Log
 
-# [5.10.3] - YYYY-MM-DD
+## [5.10.3] - 2024-01-18
 
 ### Fixed
 
 - Add "RECURSIVE" on build() for "WITH RECURSIVE" on the WithStatement class (#605)
-- Fix for quadratic complexity in certain queries, which could have caused long execution times. Thanks to Maximilian Krög (GitHub user MoonE) for this security-related fix.
+- Fix for quadratic complexity in certain queries, which could have caused long execution times. Thanks to Maximilian Krög (GitHub user MoonE) for this fix to help improve security.
 
 ## [5.10.2] - 2024-12-05
 
@@ -604,6 +604,7 @@ __Breaking changes:__
 
 * First release of this library.
 
+[5.10.3]: https://github.com/phpmyadmin/sql-parser/compare/5.10.2...5.10.3
 [5.10.2]: https://github.com/phpmyadmin/sql-parser/compare/5.10.1...5.10.2
 [5.10.1]: https://github.com/phpmyadmin/sql-parser/compare/5.10.0...5.10.1
 [5.10.0]: https://github.com/phpmyadmin/sql-parser/compare/5.9.1...5.10.0

From a33af1479778b6b4d908f7803accff92e7b748ae Mon Sep 17 00:00:00 2001
From: Isaac Bennetch <bennetch@gmail.com>
Date: Sat, 18 Jan 2025 23:15:19 -0500
Subject: [PATCH 3/3] Update CHANGELOG to be ready for 5.10.4

Signed-off-by: Isaac Bennetch <bennetch@gmail.com>
---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 27c81c79..6562d48e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,7 @@
 # Change Log
 
+## [5.10.4] - YYYY-MM-DD
+
 ## [5.10.3] - 2024-01-18
 
 ### Fixed