Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
devel:languages:php:php56
php5
php5-CVE-2021-21704.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php5-CVE-2021-21704.patch of Package php5
Index: php-5.6.40/ext/pdo_firebird/firebird_driver.c =================================================================== --- php-5.6.40.orig/ext/pdo_firebird/firebird_driver.c +++ php-5.6.40/ext/pdo_firebird/firebird_driver.c @@ -253,8 +253,15 @@ static long firebird_handle_doer(pdo_dbh if (result[0] == isc_info_sql_records) { unsigned i = 3, result_size = isc_vax_integer(&result[1],2); + if (result_size > sizeof(result)) { + return -1; + } while (result[i] != isc_info_end && i < result_size) { short len = (short)isc_vax_integer(&result[i+1],2); + /* bail out on bad len */ + if (len != 1 && len != 2 && len != 4) { + return -1; + } if (result[i] != isc_info_req_select_count) { ret += isc_vax_integer(&result[i+3],len); } @@ -531,14 +538,16 @@ static int firebird_handle_set_attribute } /* }}} */ +#define INFO_BUF_LEN 512 + /* callback to used to report database server info */ static void firebird_info_cb(void *arg, char const *s) /* {{{ */ { if (arg) { if (*(char*)arg) { /* second call */ - strcat(arg, " "); + strlcat(arg, " ", INFO_BUF_LEN); } - strcat(arg, s); + strlcat(arg, s, INFO_BUF_LEN); } } /* }}} */ @@ -549,7 +558,7 @@ static int firebird_handle_get_attribute pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data; switch (attr) { - char tmp[512]; + char tmp[INFO_BUF_LEN]; case PDO_ATTR_AUTOCOMMIT: ZVAL_LONG(val,dbh->auto_commit); Index: php-5.6.40/ext/pdo_firebird/firebird_statement.c =================================================================== --- php-5.6.40.orig/ext/pdo_firebird/firebird_statement.c +++ php-5.6.40/ext/pdo_firebird/firebird_statement.c @@ -32,6 +32,8 @@ #define RECORD_ERROR(stmt) _firebird_error(NULL, stmt, __FILE__, __LINE__ TSRMLS_CC) +#define ZEND_ULONG_MAX UINT64_MAX + /* free the allocated space for passing field values to the db and back */ static void free_sqlda(XSQLDA const *sqlda) /* {{{ */ { @@ -120,8 +122,14 @@ static int firebird_stmt_execute(pdo_stm } if (result[0] == isc_info_sql_records) { unsigned i = 3, result_size = isc_vax_integer(&result[1], 2); + if (result_size > sizeof(result)) { + goto error; + } while (result[i] != isc_info_end && i < result_size) { short len = (short) isc_vax_integer(&result[i + 1], 2); + if (len != 1 && len != 2 && len != 4) { + goto error; + } if (result[i] != isc_info_req_select_count) { affected_rows += isc_vax_integer(&result[i + 3], len); } @@ -145,6 +153,7 @@ static int firebird_stmt_execute(pdo_stm return 1; } while (0); +error: RECORD_ERROR(stmt); return 0; @@ -267,6 +276,11 @@ static int firebird_fetch_blob(pdo_stmt_ unsigned short seg_len; ISC_STATUS stat; + /* prevent overflow */ + if (*len == ZEND_ULONG_MAX) { + result = 0; + goto fetch_blob_end; + } *ptr = S->fetch_buf[colno] = erealloc(*ptr, *len+1); for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor