Fix #76452: Crash while parsing blob data in firebird_fetch_blob

This reapplies 286162e to the PHP-8.1 (and up) branches, fixing what might have been caused by a bad merge conflict resolution.
liruqi · Jun 7, 2022 · a6a1313 · a6a1313
1 parent 93eeec8
commit a6a1313
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c
@@ -305,7 +305,15 @@ static int firebird_fetch_blob(pdo_stmt_t *stmt, int colno, zval *result, ISC_QU
 		zend_ulong cur_len;
 		unsigned short seg_len;
 		ISC_STATUS stat;
-		zend_string *str = zend_string_alloc(len, 0);
+		zend_string *str;
+
+		/* prevent overflow */
+		if (len > ZSTR_MAX_LEN) {
+			result = 0;
+			goto fetch_blob_end;
+		}
+
+		str = zend_string_alloc(len, 0);
 
 		for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < len; cur_len += seg_len) {