1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
|
From b671a8dd887ae7f661f6233e734179e8bca3daf6 Mon Sep 17 00:00:00 2001
From: sim1984 <sim-mail@list.ru>
Date: Mon, 25 Jun 2018 21:35:51 +0300
Subject: [PATCH 3/8] Fix bug #76488 Memory leak when fetching a BLOB field
Add a phpt test
(cherry picked from commit 3847a6fcb63c362548e9434b195232f2dcf7a6c7)
---
ext/pdo_firebird/firebird_statement.c | 2 +-
ext/pdo_firebird/tests/bug_76488.phpt | 32 +++++++++++++++++++++++++++
2 files changed, 33 insertions(+), 1 deletion(-)
create mode 100644 ext/pdo_firebird/tests/bug_76488.phpt
diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c
index 3feeedf39f..88be6da369 100644
--- a/ext/pdo_firebird/firebird_statement.c
+++ b/ext/pdo_firebird/firebird_statement.c
@@ -294,7 +294,7 @@ static int firebird_fetch_blob(pdo_stmt_t *stmt, int colno, char **ptr, /* {{{ *
unsigned short seg_len;
ISC_STATUS stat;
- *ptr = S->fetch_buf[colno] = erealloc(*ptr, *len+1);
+ *ptr = S->fetch_buf[colno] = erealloc(S->fetch_buf[colno], *len+1);
for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) {
diff --git a/ext/pdo_firebird/tests/bug_76488.phpt b/ext/pdo_firebird/tests/bug_76488.phpt
new file mode 100644
index 0000000000..dba6734c28
--- /dev/null
+++ b/ext/pdo_firebird/tests/bug_76488.phpt
@@ -0,0 +1,32 @@
+--TEST--
+PDO_Firebird: Bug #76488 Memory leak when fetching a BLOB field
+--SKIPIF--
+<?php if (!extension_loaded('interbase') || !extension_loaded('pdo_firebird')) die('skip'); ?>
+--FILE--
+<?php
+require 'testdb.inc';
+$dbh = new PDO('firebird:dbname='.$test_base, $user, $password) or die;
+
+$sql = '
+with recursive r(n) as (
+ select 1 from rdb$database
+ union all
+ select n+1 from r where n < 1000
+)
+select n,
+ cast(lpad(\'A\', 8000, \'A\') as BLOB sub_type TEXT) as SRC
+from r
+';
+
+ for ($i = 0; $i < 10; $i++) {
+ $sth = $dbh->prepare($sql);
+ $sth->execute();
+ $rows = $sth->fetchAll();
+ unset($rows);
+ unset($sth);
+ }
+ unset($dbh);
+ echo "OK";
+?>
+--EXPECT--
+OK
\ No newline at end of file
--
2.31.1
From 9a58cd2ba3d99f5312966566a3632b197b676830 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 5 May 2021 12:42:17 +0200
Subject: [PATCH 4/8] Fix #76452: Crash while parsing blob data in
firebird_fetch_blob
We need to prevent integer overflow when calling `erealloc()` with
`len+1`.
(cherry picked from commit 286162e9b03071c4308e7e92597bca4239f49d89)
---
ext/pdo_firebird/firebird_statement.c | 5 +++++
ext/pdo_firebird/tests/bug_76452.data | Bin 0 -> 856 bytes
ext/pdo_firebird/tests/bug_76452.phpt | 31 ++++++++++++++++++++++++++
3 files changed, 36 insertions(+)
create mode 100644 ext/pdo_firebird/tests/bug_76452.data
create mode 100644 ext/pdo_firebird/tests/bug_76452.phpt
diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c
index 88be6da369..fde897186d 100644
--- a/ext/pdo_firebird/firebird_statement.c
+++ b/ext/pdo_firebird/firebird_statement.c
@@ -294,6 +294,11 @@ static int firebird_fetch_blob(pdo_stmt_t *stmt, int colno, char **ptr, /* {{{ *
unsigned short seg_len;
ISC_STATUS stat;
+ /* prevent overflow */
+ if (*len == ZEND_ULONG_MAX) {
+ result = 0;
+ goto fetch_blob_end;
+ }
*ptr = S->fetch_buf[colno] = erealloc(S->fetch_buf[colno], *len+1);
for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) {
From 7b11e10fa679a575ca61e5bcd66db68193a3b2fb Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 30 Apr 2021 14:10:50 +0200
Subject: [PATCH 5/8] Fix #76450: SIGSEGV in firebird_stmt_execute
We need to verify that the `result_size` is not larger than our buffer,
and also should make sure that the `len` which is passed to
`isc_vax_integer()` has a permissible value; otherwise we bail out.
(cherry picked from commit bcbf8aa0c96d8d9e81ec3428232485555fae0b37)
---
ext/pdo_firebird/firebird_statement.c | 7 +++++++
ext/pdo_firebird/tests/bug_76450.data | Bin 0 -> 464 bytes
ext/pdo_firebird/tests/bug_76450.phpt | 29 ++++++++++++++++++++++++++
3 files changed, 36 insertions(+)
create mode 100644 ext/pdo_firebird/tests/bug_76450.data
create mode 100644 ext/pdo_firebird/tests/bug_76450.phpt
diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c
index fde897186d..537f6f4038 100644
--- a/ext/pdo_firebird/firebird_statement.c
+++ b/ext/pdo_firebird/firebird_statement.c
@@ -133,8 +133,14 @@ static int firebird_stmt_execute(pdo_stmt_t *stmt) /* {{{ */
}
if (result[0] == isc_info_sql_records) {
unsigned i = 3, result_size = isc_vax_integer(&result[1], 2);
+ if (result_size > sizeof(result)) {
+ goto error;
+ }
while (result[i] != isc_info_end && i < result_size) {
short len = (short) isc_vax_integer(&result[i + 1], 2);
+ if (len != 1 && len != 2 && len != 4) {
+ goto error;
+ }
if (result[i] != isc_info_req_select_count) {
affected_rows += isc_vax_integer(&result[i + 3], len);
}
@@ -158,6 +164,7 @@ static int firebird_stmt_execute(pdo_stmt_t *stmt) /* {{{ */
return 1;
} while (0);
+error:
RECORD_ERROR(stmt);
return 0;
From 5952ac3d2e87d5f00a32f28d6f66209955e6e777 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 30 Apr 2021 13:53:21 +0200
Subject: [PATCH 6/8] Fix #76449: SIGSEGV in firebird_handle_doer
We need to verify that the `result_size` is not larger than our buffer,
and also should make sure that the `len` which is passed to
`isc_vax_integer()` has a permissible value; otherwise we bail out.
(cherry picked from commit 08da7c73726f7b86b67d6f0ff87c73c585a7834a)
---
ext/pdo_firebird/firebird_driver.c | 9 +++++++++
ext/pdo_firebird/tests/bug_76449.data | Bin 0 -> 464 bytes
ext/pdo_firebird/tests/bug_76449.phpt | 23 +++++++++++++++++++++++
3 files changed, 32 insertions(+)
create mode 100644 ext/pdo_firebird/tests/bug_76449.data
create mode 100644 ext/pdo_firebird/tests/bug_76449.phpt
diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c
index 166fb13d43..46699d51d4 100644
--- a/ext/pdo_firebird/firebird_driver.c
+++ b/ext/pdo_firebird/firebird_driver.c
@@ -253,8 +253,17 @@ static zend_long firebird_handle_doer(pdo_dbh_t *dbh, const char *sql, size_t sq
if (result[0] == isc_info_sql_records) {
unsigned i = 3, result_size = isc_vax_integer(&result[1],2);
+ if (result_size > sizeof(result)) {
+ ret = -1;
+ goto free_statement;
+ }
while (result[i] != isc_info_end && i < result_size) {
short len = (short)isc_vax_integer(&result[i+1],2);
+ /* bail out on bad len */
+ if (len != 1 && len != 2 && len != 4) {
+ ret = -1;
+ goto free_statement;
+ }
if (result[i] != isc_info_req_select_count) {
ret += isc_vax_integer(&result[i+3],len);
}
From a1793d85e89a0c33b5496beec204ef3491af4bdc Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Thu, 29 Apr 2021 15:26:22 +0200
Subject: [PATCH 7/8] Fix #76448: Stack buffer overflow in firebird_info_cb
We ensure not to overflow the stack allocated buffer by using `strlcat`.
(cherry picked from commit 67afa32541ebc4abbf633cb1e7e879b2fbb616ad)
---
ext/pdo_firebird/firebird_driver.c | 8 +++++---
ext/pdo_firebird/tests/bug_76448.data | Bin 0 -> 749 bytes
ext/pdo_firebird/tests/bug_76448.phpt | 23 +++++++++++++++++++++++
3 files changed, 28 insertions(+), 3 deletions(-)
create mode 100644 ext/pdo_firebird/tests/bug_76448.data
create mode 100644 ext/pdo_firebird/tests/bug_76448.phpt
diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c
index 46699d51d4..48808d6f3d 100644
--- a/ext/pdo_firebird/firebird_driver.c
+++ b/ext/pdo_firebird/firebird_driver.c
@@ -556,14 +556,16 @@ static int firebird_handle_set_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v
}
/* }}} */
+#define INFO_BUF_LEN 512
+
/* callback to used to report database server info */
static void firebird_info_cb(void *arg, char const *s) /* {{{ */
{
if (arg) {
if (*(char*)arg) { /* second call */
- strcat(arg, " ");
+ strlcat(arg, " ", INFO_BUF_LEN);
}
- strcat(arg, s);
+ strlcat(arg, s, INFO_BUF_LEN);
}
}
/* }}} */
@@ -574,7 +576,7 @@ static int firebird_handle_get_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v
pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data;
switch (attr) {
- char tmp[512];
+ char tmp[INFO_BUF_LEN];
case PDO_ATTR_AUTOCOMMIT:
ZVAL_LONG(val,dbh->auto_commit);
From 4faea6cc54c742245639ba2736b199c711f2a77b Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 20 Jun 2021 22:20:38 -0700
Subject: [PATCH 8/8] Update NEWS
(cherry picked from commit c68a687566591e2268f35d124a90c7d556ce968b)
(cherry picked from commit 7598733c51af30611aa64e456c9a777069d2efb9)
---
NEWS | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/NEWS b/NEWS
index 9eff4bd7ae..861dbd7dd5 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,19 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+Backported from 7.3.29
+
+- Core:
+ . Fixed #81122: SSRF bypass in FILTER_VALIDATE_URL. (CVE-2021-21705) (cmb)
+
+- PDO_Firebird:
+ . Fixed #76448: Stack buffer overflow in firebird_info_cb. (CVE-2021-21704)
+ (cmb)
+ . Fixed #76449: SIGSEGV in firebird_handle_doer. (CVE-2021-21704) (cmb)
+ . Fixed #76450: SIGSEGV in firebird_stmt_execute. (CVE-2021-21704) (cmb)
+ . Fixed #76452: Crash while parsing blob data in firebird_fetch_blob.
+ (CVE-2021-21704) (cmb)
+
Backported from 7.3.28
- Imap:
--
2.31.1
|