File php7-CVE-2021-21704.patch of Package php7.24757
Index: php-7.2.5/ext/pdo_firebird/firebird_driver.c
===================================================================
--- php-7.2.5.orig/ext/pdo_firebird/firebird_driver.c 2018-04-24 17:09:57.000000000 +0200
+++ php-7.2.5/ext/pdo_firebird/firebird_driver.c 2021-08-02 14:18:23.046417339 +0200
@@ -206,8 +206,17 @@ static zend_long firebird_handle_doer(pd
if (result[0] == isc_info_sql_records) {
unsigned i = 3, result_size = isc_vax_integer(&result[1],2);
+ if (result_size > sizeof(result)) {
+ ret = -1;
+ goto free_statement;
+ }
while (result[i] != isc_info_end && i < result_size) {
short len = (short)isc_vax_integer(&result[i+1],2);
+ /* bail out on bad len */
+ if (len != 1 && len != 2 && len != 4) {
+ ret = -1;
+ goto free_statement;
+ }
if (result[i] != isc_info_req_select_count) {
ret += isc_vax_integer(&result[i+3],len);
}
@@ -500,14 +509,16 @@ static int firebird_handle_set_attribute
}
/* }}} */
+#define INFO_BUF_LEN 512
+
/* callback to used to report database server info */
static void firebird_info_cb(void *arg, char const *s) /* {{{ */
{
if (arg) {
if (*(char*)arg) { /* second call */
- strcat(arg, " ");
+ strlcat(arg, " ", INFO_BUF_LEN);
}
- strcat(arg, s);
+ strlcat(arg, s, INFO_BUF_LEN);
}
}
/* }}} */
@@ -518,7 +529,7 @@ static int firebird_handle_get_attribute
pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data;
switch (attr) {
- char tmp[512];
+ char tmp[INFO_BUF_LEN];
case PDO_ATTR_AUTOCOMMIT:
ZVAL_LONG(val,dbh->auto_commit);
Index: php-7.2.5/ext/pdo_firebird/firebird_statement.c
===================================================================
--- php-7.2.5.orig/ext/pdo_firebird/firebird_statement.c 2018-04-24 17:09:57.000000000 +0200
+++ php-7.2.5/ext/pdo_firebird/firebird_statement.c 2021-08-02 14:18:42.854558579 +0200
@@ -133,8 +133,14 @@ static int firebird_stmt_execute(pdo_stm
}
if (result[0] == isc_info_sql_records) {
unsigned i = 3, result_size = isc_vax_integer(&result[1], 2);
+ if (result_size > sizeof(result)) {
+ goto error;
+ }
while (result[i] != isc_info_end && i < result_size) {
short len = (short) isc_vax_integer(&result[i + 1], 2);
+ if (len != 1 && len != 2 && len != 4) {
+ goto error;
+ }
if (result[i] != isc_info_req_select_count) {
affected_rows += isc_vax_integer(&result[i + 3], len);
}
@@ -158,6 +164,7 @@ static int firebird_stmt_execute(pdo_stm
return 1;
} while (0);
+error:
RECORD_ERROR(stmt);
return 0;
@@ -294,6 +301,11 @@ static int firebird_fetch_blob(pdo_stmt_
unsigned short seg_len;
ISC_STATUS stat;
+ /* prevent overflow */
+ if (*len == ZEND_ULONG_MAX) {
+ result = 0;
+ goto fetch_blob_end;
+ }
*ptr = S->fetch_buf[colno] = erealloc(*ptr, *len+1);
for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) {