Fix #76452: Crash while parsing blob data in firebird_fetch_blob

cmb69 · smalyshev · commit 286162e9b030 · 2021-06-20T21:56:07.000-07:00
We need to prevent integer overflow when calling `erealloc()` with
`len+1`.
diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c
@@ -299,6 +299,11 @@ static int firebird_fetch_blob(pdo_stmt_t *stmt, int colno, char **ptr, /* {{{ *
 		unsigned short seg_len;
 		ISC_STATUS stat;
 
+		/* prevent overflow */
+		if (*len == ZEND_ULONG_MAX) {
+			result = 0;
+			goto fetch_blob_end;
+		}
 		*ptr = S->fetch_buf[colno] = erealloc(S->fetch_buf[colno], *len+1);
 
 		for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) {
diff --git a/ext/pdo_firebird/tests/bug_76452.data b/ext/pdo_firebird/tests/bug_76452.data
diff --git a/ext/pdo_firebird/tests/bug_76452.phpt b/ext/pdo_firebird/tests/bug_76452.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Bug ##76452 (Crash while parsing blob data in firebird_fetch_blob)
+--SKIPIF--
+<?php require('skipif.inc'); ?>
+--FILE--
+<?php
+require_once "payload_server.inc";
+
+$address = run_server(__DIR__ . "/bug_76452.data");
+
+// no need to change the credentials; we're running against a falke server
+$dsn = "firebird:dbname=inet://$address/test";
+$username = 'SYSDBA';
+$password = 'masterkey';
+
+$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+$query = $dbh->prepare("select * from test");
+$query->execute();
+var_dump($query->fetch());
+?>
+--EXPECT--
+array(4) {
+  ["AAA"]=>
+  string(4) "hihi"
+  [0]=>
+  string(4) "hihi"
+  ["BBBB"]=>
+  NULL
+  [1]=>
+  NULL
+}
