Fix #76448: Stack buffer overflow in firebird_info_cb

We ensure not to overflow the stack allocated buffer by using `strlcat`.

Author: cmb69

ext/pdo_firebird/firebird_driver.c

@@ -509,14 +509,16 @@ static int firebird_handle_set_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v
 }
 /* }}} */
 
+#define INFO_BUF_LEN 512
+
 /* callback to used to report database server info */
 static void firebird_info_cb(void *arg, char const *s) /* {{{ */
 {
 	if (arg) {
 		if (*(char*)arg) { /* second call */
-			strcat(arg, " ");
+			strlcat(arg, " ", INFO_BUF_LEN);
 		}
-		strcat(arg, s);
+		strlcat(arg, s, INFO_BUF_LEN);
 	}
 }
 /* }}} */
@@ -527,7 +529,7 @@ static int firebird_handle_get_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v
 	pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data;
 
 	switch (attr) {
-		char tmp[512];
+		char tmp[INFO_BUF_LEN];
 
 		case PDO_ATTR_AUTOCOMMIT:
 			ZVAL_LONG(val,dbh->auto_commit);

ext/pdo_firebird/tests/bug_76448.data

@@ -0,0 +1,23 @@
+--TEST--
+Bug #76448 (Stack buffer overflow in firebird_info_cb)
+--SKIPIF--
+<?php
+if (!extension_loaded('pdo_firebird')) die("skip podo_firebird extension not available");
+if (!extension_loaded('sockets')) die("skip sockets extension not available");
+?>
+--FILE--
+<?php
+require_once "payload_server.inc";
+
+$address = run_server(__DIR__ . "/bug_76448.data");
+
+// no need to change the credentials; we're running against a falke server
+$dsn = "firebird:dbname=inet://$address/test";
+$username = 'SYSDBA';
+$password = 'masterkey';
+
+$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+var_dump($dbh->getAttribute(PDO::ATTR_SERVER_INFO));
+?>
+--EXPECT--
+bool(false)