Merge branch 'PHP-8.2' into PHP-8.3

* PHP-8.2:
  Fix phpGH-16450: PDO_ODBC can inject garbage into field values

Author: cmb69

NEWS

@@ -85,6 +85,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-16433 (Large values for openssl_csr_sign() $days overflow).
     (cmb)
 
+- PDO_ODBC:
+  . Fixed bug GH-16450 (PDO_ODBC can inject garbage into field values). (cmb)
+
 - Phar:
   . Fixed bug GH-16406 (Assertion failure in ext/phar/phar.c:2808). (nielsdos)
 

ext/pdo_odbc/odbc_stmt.c

@@ -689,11 +689,12 @@ static int odbc_stmt_get_col(pdo_stmt_t *stmt, int colno, zval *result, enum pdo
 				/* read block. 256 bytes => 255 bytes are actually read, the last 1 is NULL */
 				rc = SQLGetData(S->stmt, colno+1, C->is_unicode ? SQL_C_BINARY : SQL_C_CHAR, buf2, 256, &C->fetched_len);
 
-				/* adjust `used` in case we have length info from the driver */
+				/* adjust `used` in case we have proper length info from the driver */
 				if (orig_fetched_len >= 0 && C->fetched_len >= 0) {
 					SQLLEN fixed_used = orig_fetched_len - C->fetched_len;
-					ZEND_ASSERT(fixed_used <= used + 1);
-					used = fixed_used;
+					if (fixed_used <= used + 1) {
+						used = fixed_used;
+					}
 				}
 
 				/* resize output buffer and reassemble block */

ext/pdo_odbc/tests/gh16450.phpt

@@ -0,0 +1,35 @@
+--TEST--
+GH-16450 (PDO_ODBC can inject garbage into field values)
+--EXTENSIONS--
+pdo_odbc
+--SKIPIF--
+<?php
+$dbpath = __DIR__ . "/test.mdb";
+try {
+    new PDO("odbc:Driver={Microsoft Access Driver (*.mdb, *.accdb)};Dbq=$dbpath;Uid=Admin;Pwd=;");
+} catch (PDOException $ex) {
+    die("skip Cannot connect to MS Access database");
+}
+?>
+--FILE--
+<?php
+$dbpath = __DIR__ . "/test.mdb";
+$pdo = new PDO("odbc:Driver={Microsoft Access Driver (*.mdb, *.accdb)};Dbq=$dbpath;Uid=Admin;Pwd=;");
+
+$pdo->exec("CREATE TABLE gh16450 (Id INT, MyLongText LONGCHAR)");
+$pdo->exec(sprintf("INSERT INTO gh16450 VALUES (1, '%s')", str_repeat("_", 2048)));
+$pdo->exec(sprintf("INSERT INTO gh16450 VALUES (1, '%s')", str_repeat("_", 2049)));
+
+$stmt = $pdo->query("SELECT MyLongText FROM gh16450");
+var_dump($stmt->fetchColumn(0));
+var_dump($stmt->fetchColumn(0));
+?>
+--CLEAN--
+<?php
+$dbpath = __DIR__ . "/test.mdb";
+$pdo = new PDO("odbc:Driver={Microsoft Access Driver (*.mdb, *.accdb)};Dbq=$dbpath;Uid=Admin;Pwd=;");
+$pdo->exec("DROP TABLE gh16450");
+?>
+--EXPECT--
+string(2048) "________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________"
+string(2049) "_________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________"