cmb69/0001-Fix-76452-Crash-while-parsing-blob-data-in-firebird_.patch Secret

## 0001-Fix-76452-Crash-while-parsing-blob-data-in-firebird_.patch
From 07c77f52e74f1a1ad393d508573ccd9edb54687c Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 5 May 2021 12:42:17 +0200
Subject: [PATCH] Fix #76452: Crash while parsing blob data in
 firebird_fetch_blob

We need to prevent integer overflow when calling `erealloc()` with
`len+1`.
---
 ext/pdo_firebird/firebird_statement.c |   5 +++++
 ext/pdo_firebird/tests/bug_76452.data | Bin 0 -> 856 bytes
 ext/pdo_firebird/tests/bug_76452.phpt |  31 ++++++++++++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 ext/pdo_firebird/tests/bug_76452.data
 create mode 100644 ext/pdo_firebird/tests/bug_76452.phpt

diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c
index 05dfe46848..7520225561 100644
--- a/ext/pdo_firebird/firebird_statement.c
+++ b/ext/pdo_firebird/firebird_statement.c
@@ -302,6 +302,11 @@ static int firebird_fetch_blob(pdo_stmt_t *stmt, int colno, char **ptr, /* {{{ *
 		unsigned short seg_len;
 		ISC_STATUS stat;

+		/* prevent overflow */
+		if (*len == ZEND_ULONG_MAX) {
+			result = 0;
+			goto fetch_blob_end;
+		}
 		*ptr = S->fetch_buf[colno] = erealloc(S->fetch_buf[colno], *len+1);

 		for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) {
diff --git a/ext/pdo_firebird/tests/bug_76452.data b/ext/pdo_firebird/tests/bug_76452.data
new file mode 100644
index 0000000000000000000000000000000000000000..1bb9d86634437c7b232db7e95c860972f656daf3
GIT binary patch
literal 856
zcma)3L2kk@5L}u~a6~DEswZ9nyueYp^%gEjRjaC0P3~~u#+_I26kZl~uq`c)P&$&c
z*_qj~oe<Gy(;P-b)RUFU0tWBDf8Rg*FT2}Tj&aWq-`vx4ZT9cT4S=qD@VbZo08$~=
zS!t(NzRpjX5~0(+6Im)^a;FZM&XV%z#GxxsOmne3CuFT1Gp&~8YLZd8F5e3Ka%GLo
zBSz+PsjYc~d8R_p3UIXXhmY@|dkJZM18^GJUw9#KT-8-A+|l!~o<he}1@K_5%Okh#
z^x%UdXCn*1zXPWc&Im5nO~%v+;E8?MKOjwLHea|d_61L<v95FAxzVwC81(f<k2JLZ
F)-Nn-EmHsh

literal 0
HcmV?d00001

diff --git a/ext/pdo_firebird/tests/bug_76452.phpt b/ext/pdo_firebird/tests/bug_76452.phpt
new file mode 100644
index 0000000000..ae953b70b5
--- /dev/null
+++ b/ext/pdo_firebird/tests/bug_76452.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Bug ##76452 (Crash while parsing blob data in firebird_fetch_blob)
+--SKIPIF--
+<?php require('skipif.inc'); ?>
+--FILE--
+<?php
+require_once "payload_server.inc";
+
+$address = run_server(__DIR__ . "/bug_76452.data");
+
+// no need to change the credentials; we're running against a falke server
+$dsn = "firebird:dbname=inet://$address/test";
+$username = 'SYSDBA';
+$password = 'masterkey';
+
+$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+$query = $dbh->prepare("select * from test");
+$query->execute();
+var_dump($query->fetch());
+?>
+--EXPECT--
+array(4) {
+  ["AAA"]=>
+  string(4) "hihi"
+  [0]=>
+  string(4) "hihi"
+  ["BBBB"]=>
+  NULL
+  [1]=>
+  NULL
+}
--
2.31.1.windows.1
	From 07c77f52e74f1a1ad393d508573ccd9edb54687c Mon Sep 17 00:00:00 2001
	From: "Christoph M. Becker" <cmbecker69@gmx.de>
	Date: Wed, 5 May 2021 12:42:17 +0200
	Subject: [PATCH] Fix #76452: Crash while parsing blob data in
	firebird_fetch_blob

	We need to prevent integer overflow when calling `erealloc()` with
	`len+1`.
	---
	ext/pdo_firebird/firebird_statement.c \| 5 +++++
	ext/pdo_firebird/tests/bug_76452.data \| Bin 0 -> 856 bytes
	ext/pdo_firebird/tests/bug_76452.phpt \| 31 ++++++++++++++++++++++++++
	3 files changed, 36 insertions(+)
	create mode 100644 ext/pdo_firebird/tests/bug_76452.data
	create mode 100644 ext/pdo_firebird/tests/bug_76452.phpt

	diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c
	index 05dfe46848..7520225561 100644
	--- a/ext/pdo_firebird/firebird_statement.c
	+++ b/ext/pdo_firebird/firebird_statement.c
	@@ -302,6 +302,11 @@ static int firebird_fetch_blob(pdo_stmt_t stmt, int colno, char ptr, / {{{ *
	unsigned short seg_len;
	ISC_STATUS stat;

	+ /* prevent overflow */
	+ if (*len == ZEND_ULONG_MAX) {
	+ result = 0;
	+ goto fetch_blob_end;
	+ }
	ptr = S->fetch_buf[colno] = erealloc(S->fetch_buf[colno], len+1);

	for (cur_len = stat = 0; (!stat \|\| stat == isc_segment) && cur_len < *len; cur_len += seg_len) {
	diff --git a/ext/pdo_firebird/tests/bug_76452.data b/ext/pdo_firebird/tests/bug_76452.data
	new file mode 100644
	index 0000000000000000000000000000000000000000..1bb9d86634437c7b232db7e95c860972f656daf3
	GIT binary patch
	literal 856
	zcma)3L2kk@5L}u~a6~DEswZ9nyueYp^%gEjRjaC0P3~~u#+_I26kZl~uq`c)P&$&c
	z_qj~oe<Gy(;P-b)RUFU0tWBDf8RgFT2}Tj&aWq-`vx4ZT9cT4S=qD@VbZo08$~=
	zS!t(NzRpjX5~0(+6Im)^a;FZM&XV%z#GxxsOmne3CuFT1Gp&~8YLZd8F5e3Ka%GLo
	zBSz+PsjYc~d8R_p3UIXXhmY@\|dkJZM18^GJUw9#KT-8-A+\|l!~o<he}1@K_5%Okh#
	z^x%UdXCn*1zXPWc&Im5nO~%v+;E8?MKOjwLHea\|d_61L<v95FAxzVwC81(f<k2JLZ
	F)-Nn-EmHsh

	literal 0
	HcmV?d00001

	diff --git a/ext/pdo_firebird/tests/bug_76452.phpt b/ext/pdo_firebird/tests/bug_76452.phpt
	new file mode 100644
	index 0000000000..ae953b70b5
	--- /dev/null
	+++ b/ext/pdo_firebird/tests/bug_76452.phpt
	@@ -0,0 +1,31 @@
	+--TEST--
	+Bug ##76452 (Crash while parsing blob data in firebird_fetch_blob)
	+--SKIPIF--
	+<?php require('skipif.inc'); ?>
	+--FILE--
	+<?php
	+require_once "payload_server.inc";
	+
	+$address = run_server(__DIR__ . "/bug_76452.data");
	+
	+// no need to change the credentials; we're running against a falke server
	+$dsn = "firebird:dbname=inet://$address/test";
	+$username = 'SYSDBA';
	+$password = 'masterkey';
	+
	+$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
	+$query = $dbh->prepare("select * from test");
	+$query->execute();
	+var_dump($query->fetch());
	+?>
	+--EXPECT--
	+array(4) {
	+ ["AAA"]=>
	+ string(4) "hihi"
	+ [0]=>
	+ string(4) "hihi"
	+ ["BBBB"]=>
	+ NULL
	+ [1]=>
	+ NULL
	+}
	--
	2.31.1.windows.1