File php5-CVE-2021-21704.patch of Package php5

Index: php-5.6.40/ext/pdo_firebird/firebird_driver.c
===================================================================
--- php-5.6.40.orig/ext/pdo_firebird/firebird_driver.c
+++ php-5.6.40/ext/pdo_firebird/firebird_driver.c
@@ -253,8 +253,15 @@ static long firebird_handle_doer(pdo_dbh
 	if (result[0] == isc_info_sql_records) {
 		unsigned i = 3, result_size = isc_vax_integer(&result[1],2);
 
+		if (result_size > sizeof(result)) {
+			return -1;
+		}
 		while (result[i] != isc_info_end && i < result_size) {
 			short len = (short)isc_vax_integer(&result[i+1],2);
+			/* bail out on bad len */
+			if (len != 1 && len != 2 && len != 4) {
+				return -1;
+			}
 			if (result[i] != isc_info_req_select_count) {
 				ret += isc_vax_integer(&result[i+3],len);
 			}
@@ -531,14 +538,16 @@ static int firebird_handle_set_attribute
 }
 /* }}} */
 
+#define INFO_BUF_LEN 512
+
 /* callback to used to report database server info */
 static void firebird_info_cb(void *arg, char const *s) /* {{{ */
 {
 	if (arg) {
 		if (*(char*)arg) { /* second call */
-			strcat(arg, " ");
+			strlcat(arg, " ", INFO_BUF_LEN);
 		}
-		strcat(arg, s);
+		strlcat(arg, s, INFO_BUF_LEN);
 	}
 }
 /* }}} */
@@ -549,7 +558,7 @@ static int firebird_handle_get_attribute
 	pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data;
 
 	switch (attr) {
-		char tmp[512];
+		char tmp[INFO_BUF_LEN];
 		
 		case PDO_ATTR_AUTOCOMMIT:
 			ZVAL_LONG(val,dbh->auto_commit);
Index: php-5.6.40/ext/pdo_firebird/firebird_statement.c
===================================================================
--- php-5.6.40.orig/ext/pdo_firebird/firebird_statement.c
+++ php-5.6.40/ext/pdo_firebird/firebird_statement.c
@@ -32,6 +32,8 @@
 	
 #define RECORD_ERROR(stmt) _firebird_error(NULL, stmt,  __FILE__, __LINE__ TSRMLS_CC)
 
+#define ZEND_ULONG_MAX UINT64_MAX
+
 /* free the allocated space for passing field values to the db and back */
 static void free_sqlda(XSQLDA const *sqlda) /* {{{ */
 {
@@ -120,8 +122,14 @@ static int firebird_stmt_execute(pdo_stm
 				}
 				if (result[0] == isc_info_sql_records) {
 					unsigned i = 3, result_size = isc_vax_integer(&result[1], 2);
+					if (result_size > sizeof(result)) {
+						goto error;
+					}
 					while (result[i] != isc_info_end && i < result_size) {
 						short len = (short) isc_vax_integer(&result[i + 1], 2);
+						if (len != 1 && len != 2 && len != 4) {
+							goto error;
+						}
 						if (result[i] != isc_info_req_select_count) {
 							affected_rows += isc_vax_integer(&result[i + 3], len);
 						}
@@ -145,6 +153,7 @@ static int firebird_stmt_execute(pdo_stm
 		return 1;
 	} while (0);
 
+error:
 	RECORD_ERROR(stmt);	
 
 	return 0;
@@ -267,6 +276,11 @@ static int firebird_fetch_blob(pdo_stmt_
 		unsigned short seg_len;
 		ISC_STATUS stat;
 
+		/* prevent overflow */
+		if (*len == ZEND_ULONG_MAX) {
+			result = 0;
+			goto fetch_blob_end;
+		}
 		*ptr = S->fetch_buf[colno] = erealloc(*ptr, *len+1);
 	
 		for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) {