Fix #76452: Crash while parsing blob data in firebird_fetch_blob

We need to prevent integer overflow when calling `erealloc()` with `len+1`.
2025-08-15 21:48:51 +02:00 · 2021-05-05 12:42:17 +02:00 · 2021-05-05 12:42:17 +02:00 · 286162e9b0
commit 286162e9b0
parent a5538c6229
3 changed files with 36 additions and 0 deletions
--- a/ext/pdo_firebird/firebird_statement.c
+++ b/ext/pdo_firebird/firebird_statement.c
@ -299,6 +299,11 @@ static int firebird_fetch_blob(pdo_stmt_t *stmt, int colno, char **ptr, /* {{{ *
 		unsigned short seg_len;
 		ISC_STATUS stat;

+		/* prevent overflow */
+		if (*len == ZEND_ULONG_MAX) {
+			result = 0;
+			goto fetch_blob_end;
+		}
 		*ptr = S->fetch_buf[colno] = erealloc(S->fetch_buf[colno], *len+1);

 		for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) {
--- a/ext/pdo_firebird/tests/bug_76452.data
+++ b/ext/pdo_firebird/tests/bug_76452.data
--- a/ext/pdo_firebird/tests/bug_76452.phpt
+++ b/ext/pdo_firebird/tests/bug_76452.phpt
@ -0,0 +1,31 @@
+--TEST--
+Bug ##76452 (Crash while parsing blob data in firebird_fetch_blob)
+--SKIPIF--
+<?php require('skipif.inc'); ?>
+--FILE--
+<?php
+require_once "payload_server.inc";
+
+$address = run_server(__DIR__ . "/bug_76452.data");
+
+// no need to change the credentials; we're running against a falke server
+$dsn = "firebird:dbname=inet://$address/test";
+$username = 'SYSDBA';
+$password = 'masterkey';
+
+$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+$query = $dbh->prepare("select * from test");
+$query->execute();
+var_dump($query->fetch());
+?>
+--EXPECT--
+array(4) {
+  ["AAA"]=>
+  string(4) "hihi"
+  [0]=>
+  string(4) "hihi"
+  ["BBBB"]=>
+  NULL
+  [1]=>
+  NULL
+}