Created
May 5, 2021 12:14
-
-
Save cmb69/344574cbdbfa305a329c0e18a752d31d to your computer and use it in GitHub Desktop.
Fix for PHP bug #76449
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 98a871fe43525bca3eb961da9762a36d2ca5162d Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Fri, 30 Apr 2021 13:53:21 +0200 | |
Subject: [PATCH] Fix #76449: SIGSEGV in firebird_handle_doer | |
We need to verify that the `result_size` is not larger than our buffer, | |
and also should make sure that the `len` which is passed to | |
`isc_vax_integer()` has a permissible value; otherwise we bail out. | |
--- | |
ext/pdo_firebird/firebird_driver.c | 9 +++++++++ | |
ext/pdo_firebird/tests/bug_76449.data | Bin 0 -> 464 bytes | |
ext/pdo_firebird/tests/bug_76449.phpt | 23 +++++++++++++++++++++++ | |
3 files changed, 32 insertions(+) | |
create mode 100644 ext/pdo_firebird/tests/bug_76449.data | |
create mode 100644 ext/pdo_firebird/tests/bug_76449.phpt | |
diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c | |
index b1869f2695..4af75a5e34 100644 | |
--- a/ext/pdo_firebird/firebird_driver.c | |
+++ b/ext/pdo_firebird/firebird_driver.c | |
@@ -206,8 +206,17 @@ static zend_long firebird_handle_doer(pdo_dbh_t *dbh, const char *sql, size_t sq | |
if (result[0] == isc_info_sql_records) { | |
unsigned i = 3, result_size = isc_vax_integer(&result[1],2); | |
+ if (result_size > sizeof(result)) { | |
+ ret = -1; | |
+ goto free_statement; | |
+ } | |
while (result[i] != isc_info_end && i < result_size) { | |
short len = (short)isc_vax_integer(&result[i+1],2); | |
+ /* bail out on bad len */ | |
+ if (len != 1 && len != 2 && len != 4) { | |
+ ret = -1; | |
+ goto free_statement; | |
+ } | |
if (result[i] != isc_info_req_select_count) { | |
ret += isc_vax_integer(&result[i+3],len); | |
} | |
diff --git a/ext/pdo_firebird/tests/bug_76449.data b/ext/pdo_firebird/tests/bug_76449.data | |
new file mode 100644 | |
index 0000000000000000000000000000000000000000..bac82d337a08568d76a0fc1ec43eb76d04447153 | |
GIT binary patch | |
literal 464 | |
zcmZQzV2Jzwzk#2Dfq@Z-S%DY?xP4O76O$|B9ZO3xAR-Vl2Fk%D&xx!U$_AMW10Z>1 | |
zK1dvy50YmB2_gY>c_b+Yc~KUydT9v7%FY6oWr5OQt?2rZ`5@KEe02L2#sB~3|My=2 | |
os7wH2G%tkWV*%@9f@(%L1MCVU0!98m5Fp8cm?-jSawN$E08bGWUH||9 | |
literal 0 | |
HcmV?d00001 | |
diff --git a/ext/pdo_firebird/tests/bug_76449.phpt b/ext/pdo_firebird/tests/bug_76449.phpt | |
new file mode 100644 | |
index 0000000000..48a09c1d4e | |
--- /dev/null | |
+++ b/ext/pdo_firebird/tests/bug_76449.phpt | |
@@ -0,0 +1,23 @@ | |
+--TEST-- | |
+Bug #76449 (SIGSEGV in firebird_handle_doer) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('pdo_firebird')) die("skip pdo_firebird extension not available"); | |
+if (!extension_loaded('sockets')) die("skip sockets extension not available"); | |
+?> | |
+--FILE-- | |
+<?php | |
+require_once "payload_server.inc"; | |
+ | |
+$address = run_server(__DIR__ . "/bug_76449.data"); | |
+ | |
+// no need to change the credentials; we're running against a fake server | |
+$dsn = "firebird:dbname=inet://$address/test"; | |
+$username = 'SYSDBA'; | |
+$password = 'masterkey'; | |
+ | |
+$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]); | |
+var_dump($dbh->exec("INSERT INTO test VALUES ('hihi2', 'xxxxx')")); | |
+?> | |
+--EXPECT-- | |
+bool(false) | |
-- | |
2.31.1.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment