From b871261c10fcf5ffef3851ae31ac12a0170044d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=90=D0=BD=D0=B4=D1=80=D0=B5=D0=B9=20=D0=9A=D0=BE=D0=B2?=
 =?UTF-8?q?=D0=B0=D0=BB=D1=91=D0=B2?=
 <115738313+andr3y-k0v4l3v@users.noreply.github.com>
Date: Mon, 2 Jun 2025 12:55:25 +0300
Subject: [PATCH] ext/mysqlnd/mysqlnd_auth.c: Add error handling for invalid
 public key size (#18663)

Reported-by: Pavel Nekrasov <p.nekrasov@fobos-nt.ru>

Signed-off-by: Andrey Kovalev <ded@altlinux.org>
Co-authored-by: Andrey Kovalev <ded@altlinux.org>
---
 ext/mysqlnd/mysqlnd_auth.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ext/mysqlnd/mysqlnd_auth.c b/ext/mysqlnd/mysqlnd_auth.c
index b8a23f87c66..691375b1a69 100644
--- a/ext/mysqlnd/mysqlnd_auth.c
+++ b/ext/mysqlnd/mysqlnd_auth.c
@@ -1005,9 +1005,19 @@ void php_mysqlnd_scramble_sha2(zend_uchar * const buffer, const zend_uchar * con
 static size_t
 mysqlnd_caching_sha2_public_encrypt(MYSQLND_CONN_DATA * conn, mysqlnd_rsa_t server_public_key, size_t passwd_len, unsigned char **crypted, char *xor_str)
 {
-	size_t server_public_key_len = (size_t) EVP_PKEY_size(server_public_key);
-
 	DBG_ENTER("mysqlnd_caching_sha2_public_encrypt");
+
+	int pkey_size = EVP_PKEY_size(server_public_key);
+
+	if (pkey_size <= 0) {
+		EVP_PKEY_free(server_public_key);
+		SET_CLIENT_ERROR(conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, "invalid public key size");
+		DBG_ERR("invalid public key size");
+		DBG_RETURN(0);
+	}
+
+	size_t server_public_key_len = (size_t) pkey_size;
+
 	/*
 		Because RSA_PKCS1_OAEP_PADDING is used there is a restriction on the passwd_len.
 		RSA_PKCS1_OAEP_PADDING is recommended for new applications. See more here: