Integer overflow in the firebird and dblib quoters causing OOB writes

Impact

The following code:

php-src/ext/pdo_firebird/firebird_driver.c

Lines 805 to 808 in 5070fbf

    
           for (co = ZSTR_VAL(unquoted); (co = strchr(co,'\'')); qcount++, co++); 
        
           quotedlen = ZSTR_LEN(unquoted) + qcount + 2; 
        
           quoted_str = zend_string_alloc(quotedlen, 0);

and the following code:

php-src/ext/pdo_dblib/dblib_driver.c

Lines 164 to 174 in c34b37f

    
           /* Detect quoted length, adding extra char for doubled single quotes */ 
        
           for (i = 0; i < ZSTR_LEN(unquoted); i++) { 
        
           	if (ZSTR_VAL(unquoted)[i] == '\'') ++quotedlen; 
        
           	++quotedlen; 
        
           } 
        
           quotedlen += 2; /* +2 for opening, closing quotes */ 
        
           if (use_national_character_set) { 
        
           	++quotedlen; /* N prefix */ 
        
           } 
        
           quoted_str = zend_string_alloc(quotedlen, 0);

Can cause integer overflow, or can become a value over ZSTR_MAX_LEN causing an overflow, which eventually turns into an OOB write. This is triggerable on 32-bit especially.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Integer overflow in the firebird and dblib quoters causing OOB writes

Package

Affected versions

Patched versions

Description

Impact

Severity

CVE ID

Weaknesses

	for (co = ZSTR_VAL(unquoted); (co = strchr(co,'\'')); qcount++, co++);

	quotedlen = ZSTR_LEN(unquoted) + qcount + 2;
	quoted_str = zend_string_alloc(quotedlen, 0);

	/* Detect quoted length, adding extra char for doubled single quotes */
	for (i = 0; i < ZSTR_LEN(unquoted); i++) {
	if (ZSTR_VAL(unquoted)[i] == '\'') ++quotedlen;
	++quotedlen;
	}

	quotedlen += 2; /* +2 for opening, closing quotes */
	if (use_national_character_set) {
	++quotedlen; /* N prefix */
	}
	quoted_str = zend_string_alloc(quotedlen, 0);