Created
May 5, 2021 10:50
-
-
Save cmb69/bbf45c1f420fcc16a98d2a9614db8729 to your computer and use it in GitHub Desktop.
Fix for PHP bug #76452
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 07c77f52e74f1a1ad393d508573ccd9edb54687c Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Wed, 5 May 2021 12:42:17 +0200 | |
Subject: [PATCH] Fix #76452: Crash while parsing blob data in | |
firebird_fetch_blob | |
We need to prevent integer overflow when calling `erealloc()` with | |
`len+1`. | |
--- | |
ext/pdo_firebird/firebird_statement.c | 5 +++++ | |
ext/pdo_firebird/tests/bug_76452.data | Bin 0 -> 856 bytes | |
ext/pdo_firebird/tests/bug_76452.phpt | 31 ++++++++++++++++++++++++++ | |
3 files changed, 36 insertions(+) | |
create mode 100644 ext/pdo_firebird/tests/bug_76452.data | |
create mode 100644 ext/pdo_firebird/tests/bug_76452.phpt | |
diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c | |
index 05dfe46848..7520225561 100644 | |
--- a/ext/pdo_firebird/firebird_statement.c | |
+++ b/ext/pdo_firebird/firebird_statement.c | |
@@ -302,6 +302,11 @@ static int firebird_fetch_blob(pdo_stmt_t *stmt, int colno, char **ptr, /* {{{ * | |
unsigned short seg_len; | |
ISC_STATUS stat; | |
+ /* prevent overflow */ | |
+ if (*len == ZEND_ULONG_MAX) { | |
+ result = 0; | |
+ goto fetch_blob_end; | |
+ } | |
*ptr = S->fetch_buf[colno] = erealloc(S->fetch_buf[colno], *len+1); | |
for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) { | |
diff --git a/ext/pdo_firebird/tests/bug_76452.data b/ext/pdo_firebird/tests/bug_76452.data | |
new file mode 100644 | |
index 0000000000000000000000000000000000000000..1bb9d86634437c7b232db7e95c860972f656daf3 | |
GIT binary patch | |
literal 856 | |
zcma)3L2kk@5L}u~a6~DEswZ9nyueYp^%gEjRjaC0P3~~u#+_I26kZl~uq`c)P&$&c | |
z*_qj~oe<Gy(;P-b)RUFU0tWBDf8Rg*FT2}Tj&aWq-`vx4ZT9cT4S=qD@VbZo08$~= | |
zS!t(NzRpjX5~0(+6Im)^a;FZM&XV%z#GxxsOmne3CuFT1Gp&~8YLZd8F5e3Ka%GLo | |
zBSz+PsjYc~d8R_p3UIXXhmY@|dkJZM18^GJUw9#KT-8-A+|l!~o<he}1@K_5%Okh# | |
z^x%UdXCn*1zXPWc&Im5nO~%v+;E8?MKOjwLHea|d_61L<v95FAxzVwC81(f<k2JLZ | |
F)-Nn-EmHsh | |
literal 0 | |
HcmV?d00001 | |
diff --git a/ext/pdo_firebird/tests/bug_76452.phpt b/ext/pdo_firebird/tests/bug_76452.phpt | |
new file mode 100644 | |
index 0000000000..ae953b70b5 | |
--- /dev/null | |
+++ b/ext/pdo_firebird/tests/bug_76452.phpt | |
@@ -0,0 +1,31 @@ | |
+--TEST-- | |
+Bug ##76452 (Crash while parsing blob data in firebird_fetch_blob) | |
+--SKIPIF-- | |
+<?php require('skipif.inc'); ?> | |
+--FILE-- | |
+<?php | |
+require_once "payload_server.inc"; | |
+ | |
+$address = run_server(__DIR__ . "/bug_76452.data"); | |
+ | |
+// no need to change the credentials; we're running against a falke server | |
+$dsn = "firebird:dbname=inet://$address/test"; | |
+$username = 'SYSDBA'; | |
+$password = 'masterkey'; | |
+ | |
+$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]); | |
+$query = $dbh->prepare("select * from test"); | |
+$query->execute(); | |
+var_dump($query->fetch()); | |
+?> | |
+--EXPECT-- | |
+array(4) { | |
+ ["AAA"]=> | |
+ string(4) "hihi" | |
+ [0]=> | |
+ string(4) "hihi" | |
+ ["BBBB"]=> | |
+ NULL | |
+ [1]=> | |
+ NULL | |
+} | |
-- | |
2.31.1.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment