Overview

File php7-CVE-2021-21704.patch of Package php7.24757

Index: php-7.2.5/ext/pdo_firebird/firebird_driver.c
===================================================================
--- php-7.2.5.orig/ext/pdo_firebird/firebird_driver.c	2018-04-24 17:09:57.000000000 +0200
+++ php-7.2.5/ext/pdo_firebird/firebird_driver.c	2021-08-02 14:18:23.046417339 +0200
@@ -206,8 +206,17 @@ static zend_long firebird_handle_doer(pd
 	if (result[0] == isc_info_sql_records) {
 		unsigned i = 3, result_size = isc_vax_integer(&result[1],2);
 
+		if (result_size > sizeof(result)) {
+			ret = -1;
+			goto free_statement;
+		}
 		while (result[i] != isc_info_end && i < result_size) {
 			short len = (short)isc_vax_integer(&result[i+1],2);
+			/* bail out on bad len */
+			if (len != 1 && len != 2 && len != 4) {
+				ret = -1;
+				goto free_statement;
+			}
 			if (result[i] != isc_info_req_select_count) {
 				ret += isc_vax_integer(&result[i+3],len);
 			}
@@ -500,14 +509,16 @@ static int firebird_handle_set_attribute
 }
 /* }}} */
 
+#define INFO_BUF_LEN 512
+
 /* callback to used to report database server info */
 static void firebird_info_cb(void *arg, char const *s) /* {{{ */
 {
 	if (arg) {
 		if (*(char*)arg) { /* second call */
-			strcat(arg, " ");
+			strlcat(arg, " ", INFO_BUF_LEN);
 		}
-		strcat(arg, s);
+		strlcat(arg, s, INFO_BUF_LEN);
 	}
 }
 /* }}} */
@@ -518,7 +529,7 @@ static int firebird_handle_get_attribute
 	pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data;
 
 	switch (attr) {
-		char tmp[512];
+		char tmp[INFO_BUF_LEN];
 
 		case PDO_ATTR_AUTOCOMMIT:
 			ZVAL_LONG(val,dbh->auto_commit);
Index: php-7.2.5/ext/pdo_firebird/firebird_statement.c
===================================================================
--- php-7.2.5.orig/ext/pdo_firebird/firebird_statement.c	2018-04-24 17:09:57.000000000 +0200
+++ php-7.2.5/ext/pdo_firebird/firebird_statement.c	2021-08-02 14:18:42.854558579 +0200
@@ -133,8 +133,14 @@ static int firebird_stmt_execute(pdo_stm
 				}
 				if (result[0] == isc_info_sql_records) {
 					unsigned i = 3, result_size = isc_vax_integer(&result[1], 2);
+					if (result_size > sizeof(result)) {
+						goto error;
+					}
 					while (result[i] != isc_info_end && i < result_size) {
 						short len = (short) isc_vax_integer(&result[i + 1], 2);
+						if (len != 1 && len != 2 && len != 4) {
+							goto error;
+						}
 						if (result[i] != isc_info_req_select_count) {
 							affected_rows += isc_vax_integer(&result[i + 3], len);
 						}
@@ -158,6 +164,7 @@ static int firebird_stmt_execute(pdo_stm
 		return 1;
 	} while (0);
 
+error:
 	RECORD_ERROR(stmt);
 
 	return 0;
@@ -294,6 +301,11 @@ static int firebird_fetch_blob(pdo_stmt_
 		unsigned short seg_len;
 		ISC_STATUS stat;
 
+		/* prevent overflow */
+		if (*len == ZEND_ULONG_MAX) {
+			result = 0;
+			goto fetch_blob_end;
+		}
 		*ptr = S->fetch_buf[colno] = erealloc(*ptr, *len+1);
 
 		for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) {
openSUSE Build Service is sponsored by
Places