Skip to content

Commit 67afa32

Browse files
cmb69smalyshev
authored andcommitted
Fix #76448: Stack buffer overflow in firebird_info_cb
We ensure not to overflow the stack allocated buffer by using `strlcat`.
1 parent 08da7c7 commit 67afa32

File tree

3 files changed

+28
-3
lines changed

3 files changed

+28
-3
lines changed

ext/pdo_firebird/firebird_driver.c

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -509,14 +509,16 @@ static int firebird_handle_set_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v
509509
}
510510
/* }}} */
511511

512+
#define INFO_BUF_LEN 512
513+
512514
/* callback to used to report database server info */
513515
static void firebird_info_cb(void *arg, char const *s) /* {{{ */
514516
{
515517
if (arg) {
516518
if (*(char*)arg) { /* second call */
517-
strcat(arg, " ");
519+
strlcat(arg, " ", INFO_BUF_LEN);
518520
}
519-
strcat(arg, s);
521+
strlcat(arg, s, INFO_BUF_LEN);
520522
}
521523
}
522524
/* }}} */
@@ -527,7 +529,7 @@ static int firebird_handle_get_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v
527529
pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data;
528530

529531
switch (attr) {
530-
char tmp[512];
532+
char tmp[INFO_BUF_LEN];
531533

532534
case PDO_ATTR_AUTOCOMMIT:
533535
ZVAL_LONG(val,dbh->auto_commit);

ext/pdo_firebird/tests/bug_76448.data

749 Bytes
Binary file not shown.

ext/pdo_firebird/tests/bug_76448.phpt

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
--TEST--
2+
Bug #76448 (Stack buffer overflow in firebird_info_cb)
3+
--SKIPIF--
4+
<?php
5+
if (!extension_loaded('pdo_firebird')) die("skip podo_firebird extension not available");
6+
if (!extension_loaded('sockets')) die("skip sockets extension not available");
7+
?>
8+
--FILE--
9+
<?php
10+
require_once "payload_server.inc";
11+
12+
$address = run_server(__DIR__ . "/bug_76448.data");
13+
14+
// no need to change the credentials; we're running against a falke server
15+
$dsn = "firebird:dbname=inet://$address/test";
16+
$username = 'SYSDBA';
17+
$password = 'masterkey';
18+
19+
$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
20+
var_dump($dbh->getAttribute(PDO::ATTR_SERVER_INFO));
21+
?>
22+
--EXPECT--
23+
bool(false)

0 commit comments

Comments
 (0)