php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix GHSA-5hqh-c84r-qjcv: Integer overflow in the firebird quoter causing OOB writes

Browse Source
This commit is contained in:
Niels Dossche
2024-10-24 22:02:36 +02:00
committed by Jakub Zelenka
parent d9baa9fed8
commit 69c5f68fdc
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ext/pdo_firebird/firebird_driver.c
View File

@@ -662,7 +662,7 @@ free_statement:
/* called by the PDO SQL parser to add quotes to values that are copied into SQL */
static zend_string* firebird_handle_quoter(pdo_dbh_t *dbh, const zend_string *unquoted, enum pdo_param_type paramtype)
{
int qcount = 0;
size_t qcount = 0;
char const *co, *l, *r;
char *c;
size_t quotedlen;
@@ -676,6 +676,10 @@ static zend_string* firebird_handle_quoter(pdo_dbh_t *dbh, const zend_string *un
/* count the number of ' characters */
for (co = ZSTR_VAL(unquoted); (co = strchr(co,'\'')); qcount++, co++);
if (UNEXPECTED(ZSTR_LEN(unquoted) + 2 > ZSTR_MAX_LEN - qcount)) {
return NULL;
}
quotedlen = ZSTR_LEN(unquoted) + qcount + 2;
quoted_str = zend_string_alloc(quotedlen, 0);
c = ZSTR_VAL(quoted_str);