Created
May 5, 2021 11:46
-
-
Save cmb69/51a5818efda86f39a5afdd93caf31e8e to your computer and use it in GitHub Desktop.
Fix for PHP bug #76448
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From 8e1752c17244c7b3012b20966a764be3fd60b72b Mon Sep 17 00:00:00 2001 | |
| From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
| Date: Thu, 29 Apr 2021 15:26:22 +0200 | |
| Subject: [PATCH] Fix #76448: Stack buffer overflow in firebird_info_cb | |
| We ensure not to overflow the stack allocated buffer by using `strlcat`. | |
| --- | |
| ext/pdo_firebird/firebird_driver.c | 8 +++++--- | |
| ext/pdo_firebird/tests/bug_76448.data | Bin 0 -> 749 bytes | |
| ext/pdo_firebird/tests/bug_76448.phpt | 23 +++++++++++++++++++++++ | |
| 3 files changed, 28 insertions(+), 3 deletions(-) | |
| create mode 100644 ext/pdo_firebird/tests/bug_76448.data | |
| create mode 100644 ext/pdo_firebird/tests/bug_76448.phpt | |
| diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c | |
| index b1869f2695..125e6b101c 100644 | |
| --- a/ext/pdo_firebird/firebird_driver.c | |
| +++ b/ext/pdo_firebird/firebird_driver.c | |
| @@ -509,14 +509,16 @@ static int firebird_handle_set_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v | |
| } | |
| /* }}} */ | |
| +#define INFO_BUF_LEN 512 | |
| + | |
| /* callback to used to report database server info */ | |
| static void firebird_info_cb(void *arg, char const *s) /* {{{ */ | |
| { | |
| if (arg) { | |
| if (*(char*)arg) { /* second call */ | |
| - strcat(arg, " "); | |
| + strlcat(arg, " ", INFO_BUF_LEN); | |
| } | |
| - strcat(arg, s); | |
| + strlcat(arg, s, INFO_BUF_LEN); | |
| } | |
| } | |
| /* }}} */ | |
| @@ -527,7 +529,7 @@ static int firebird_handle_get_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v | |
| pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data; | |
| switch (attr) { | |
| - char tmp[512]; | |
| + char tmp[INFO_BUF_LEN]; | |
| case PDO_ATTR_AUTOCOMMIT: | |
| ZVAL_LONG(val,dbh->auto_commit); | |
| diff --git a/ext/pdo_firebird/tests/bug_76448.data b/ext/pdo_firebird/tests/bug_76448.data | |
| new file mode 100644 | |
| index 0000000000000000000000000000000000000000..e391bd874e94e8814617b3531b3d799735d1568f | |
| GIT binary patch | |
| literal 749 | |
| zcmZQzV2Jzwzk#2Dfq@Z-S%DY?xP4O76O$|B9ZO3xAR-Vl2Fk%D&xx!U$_AMW18DM$ | |
| z3`{VYkxSzXABS`mMkb|jPu&m`Jp&-Lw6sug%PdMw$}CDz017EM<`iTkDj5DJtVBO? | |
| f7z1ur1|}Cq7nUMk1}0E=GJ;bx3nMse;Q<T)!=QC1 | |
| literal 0 | |
| HcmV?d00001 | |
| diff --git a/ext/pdo_firebird/tests/bug_76448.phpt b/ext/pdo_firebird/tests/bug_76448.phpt | |
| new file mode 100644 | |
| index 0000000000..d13bab5ba1 | |
| --- /dev/null | |
| +++ b/ext/pdo_firebird/tests/bug_76448.phpt | |
| @@ -0,0 +1,23 @@ | |
| +--TEST-- | |
| +Bug #76448 (Stack buffer overflow in firebird_info_cb) | |
| +--SKIPIF-- | |
| +<?php | |
| +if (!extension_loaded('pdo_firebird')) die("skip podo_firebird extension not available"); | |
| +if (!extension_loaded('sockets')) die("skip sockets extension not available"); | |
| +?> | |
| +--FILE-- | |
| +<?php | |
| +require_once "payload_server.inc"; | |
| + | |
| +$address = run_server(__DIR__ . "/bug_76448.data"); | |
| + | |
| +// no need to change the credentials; we're running against a falke server | |
| +$dsn = "firebird:dbname=inet://$address/test"; | |
| +$username = 'SYSDBA'; | |
| +$password = 'masterkey'; | |
| + | |
| +$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]); | |
| +var_dump($dbh->getAttribute(PDO::ATTR_SERVER_INFO)); | |
| +?> | |
| +--EXPECT-- | |
| +bool(false) | |
| -- | |
| 2.31.1.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment