archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix GHSA-5hqh-c84r-qjcv: Integer overflow in the firebird quoter causing OOB writes

Browse source
This commit is contained in:
Niels Dossche 2024-10-24 22:02:36 +02:00 committed by Jakub Zelenka
parent d9baa9fed8
commit 69c5f68fdc
No known key found for this signature in database
GPG key ID: 1C0779DC5C0A9DE4
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
ext/pdo_firebird/firebird_driver.c
View file

@ -662,7 +662,7 @@ free_statement:
/* called by the PDO SQL parser to add quotes to values that are copied into SQL */ /* called by the PDO SQL parser to add quotes to values that are copied into SQL */
static zend_string* firebird_handle_quoter(pdo_dbh_t *dbh, const zend_string *unquoted, enum pdo_param_type paramtype) static zend_string* firebird_handle_quoter(pdo_dbh_t *dbh, const zend_string *unquoted, enum pdo_param_type paramtype)
{ {
int qcount = 0; size_t qcount = 0;
char const *co, *l, *r; char const *co, *l, *r;
char *c; char *c;
size_t quotedlen; size_t quotedlen;
@ -676,6 +676,10 @@ static zend_string* firebird_handle_quoter(pdo_dbh_t *dbh, const zend_string *un
/* count the number of ' characters */ /* count the number of ' characters */
for (co = ZSTR_VAL(unquoted); (co = strchr(co,'\'')); qcount++, co++); for (co = ZSTR_VAL(unquoted); (co = strchr(co,'\'')); qcount++, co++);
if (UNEXPECTED(ZSTR_LEN(unquoted) + 2 > ZSTR_MAX_LEN - qcount)) {
return NULL;
}
quotedlen = ZSTR_LEN(unquoted) + qcount + 2; quotedlen = ZSTR_LEN(unquoted) + qcount + 2;
quoted_str = zend_string_alloc(quotedlen, 0); quoted_str = zend_string_alloc(quotedlen, 0);
c = ZSTR_VAL(quoted_str); c = ZSTR_VAL(quoted_str);