Fix for PHP bug #76449

0001-Fix-76449-SIGSEGV-in-firebird_handle_doer.patch

From 98a871fe43525bca3eb961da9762a36d2ca5162d Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 30 Apr 2021 13:53:21 +0200
Subject: [PATCH] Fix #76449: SIGSEGV in firebird_handle_doer

We need to verify that the `result_size` is not larger than our buffer,
and also should make sure that the `len` which is passed to
`isc_vax_integer()` has a permissible value; otherwise we bail out.
---
 ext/pdo_firebird/firebird_driver.c    |   9 +++++++++
 ext/pdo_firebird/tests/bug_76449.data | Bin 0 -> 464 bytes
 ext/pdo_firebird/tests/bug_76449.phpt |  23 +++++++++++++++++++++++
 3 files changed, 32 insertions(+)
 create mode 100644 ext/pdo_firebird/tests/bug_76449.data
 create mode 100644 ext/pdo_firebird/tests/bug_76449.phpt

diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c
index b1869f2695..4af75a5e34 100644
--- a/ext/pdo_firebird/firebird_driver.c
+++ b/ext/pdo_firebird/firebird_driver.c
@@ -206,8 +206,17 @@ static zend_long firebird_handle_doer(pdo_dbh_t *dbh, const char *sql, size_t sq
 	if (result[0] == isc_info_sql_records) {
 		unsigned i = 3, result_size = isc_vax_integer(&result[1],2);
 
+		if (result_size > sizeof(result)) {
+			ret = -1;
+			goto free_statement;
+		}
 		while (result[i] != isc_info_end && i < result_size) {
 			short len = (short)isc_vax_integer(&result[i+1],2);
+			/* bail out on bad len */
+			if (len != 1 && len != 2 && len != 4) {
+				ret = -1;
+				goto free_statement;
+			}
 			if (result[i] != isc_info_req_select_count) {
 				ret += isc_vax_integer(&result[i+3],len);
 			}
diff --git a/ext/pdo_firebird/tests/bug_76449.data b/ext/pdo_firebird/tests/bug_76449.data
new file mode 100644
index 0000000000000000000000000000000000000000..bac82d337a08568d76a0fc1ec43eb76d04447153
GIT binary patch
literal 464
zcmZQzV2Jzwzk#2Dfq@Z-S%DY?xP4O76O$|B9ZO3xAR-Vl2Fk%D&xx!U$_AMW10Z>1
zK1dvy50YmB2_gY>c_b+Yc~KUydT9v7%FY6oWr5OQt?2rZ`5@KEe02L2#sB~3|My=2
os7wH2G%tkWV*%@9f@(%L1MCVU0!98m5Fp8cm?-jSawN$E08bGWUH||9

literal 0
HcmV?d00001

diff --git a/ext/pdo_firebird/tests/bug_76449.phpt b/ext/pdo_firebird/tests/bug_76449.phpt
new file mode 100644
index 0000000000..48a09c1d4e
--- /dev/null
+++ b/ext/pdo_firebird/tests/bug_76449.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #76449 (SIGSEGV in firebird_handle_doer)
+--SKIPIF--
+<?php
+if (!extension_loaded('pdo_firebird')) die("skip pdo_firebird extension not available");
+if (!extension_loaded('sockets')) die("skip sockets extension not available");
+?>
+--FILE--
+<?php
+require_once "payload_server.inc";
+
+$address = run_server(__DIR__ . "/bug_76449.data");
+
+// no need to change the credentials; we're running against a fake server
+$dsn = "firebird:dbname=inet://$address/test";
+$username = 'SYSDBA';
+$password = 'masterkey';
+
+$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+var_dump($dbh->exec("INSERT INTO test VALUES ('hihi2', 'xxxxx')"));
+?>
+--EXPECT--
+bool(false)
-- 
2.31.1.windows.1