Fix GHSA-5hqh-c84r-qjcv: Integer overflow in the dblib quoter causing OOB writes

Author: nielsdos

ext/pdo_dblib/dblib_driver.c

@@ -148,7 +148,7 @@ static zend_string* dblib_handle_quoter(pdo_dbh_t *dbh, const zend_string *unquo
 	bool use_national_character_set = 0;
 	size_t i;
 	char *q;
-	size_t quotedlen = 0;
+	size_t quotedlen = 0, extralen = 0;
 	zend_string *quoted_str;
 
 	if (H->assume_national_character_set_strings) {
@@ -163,14 +163,20 @@ static zend_string* dblib_handle_quoter(pdo_dbh_t *dbh, const zend_string *unquo
 
 	/* Detect quoted length, adding extra char for doubled single quotes */
 	for (i = 0; i < ZSTR_LEN(unquoted); i++) {
-		if (ZSTR_VAL(unquoted)[i] == '\'') ++quotedlen;
+		if (ZSTR_VAL(unquoted)[i] == '\'') ++extralen;
 		++quotedlen;
 	}
 
 	quotedlen += 2; /* +2 for opening, closing quotes */
 	if (use_national_character_set) {
 		++quotedlen; /* N prefix */
 	}
+
+	if (UNEXPECTED(quotedlen > ZSTR_MAX_LEN - extralen)) {
+		return NULL;
+	}
+
+	quotedlen += extralen;
 	quoted_str = zend_string_alloc(quotedlen, 0);
 	q = ZSTR_VAL(quoted_str);
 	if (use_national_character_set) {

ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt

@@ -0,0 +1,24 @@
+--TEST--
+GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB writes)
+--EXTENSIONS--
+pdo_dblib
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 4) die("skip for 32bit platforms only");
+if (PHP_OS_FAMILY === "Windows") die("skip not for Windows because the virtual address space for application is only 2GiB");
+if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
+require __DIR__ . '/config.inc';
+getDbConnection();
+?>
+--INI--
+memory_limit=-1
+--FILE--
+<?php
+
+require __DIR__ . '/config.inc';
+$db = getDbConnection();
+var_dump($db->quote(str_repeat("'", 2147483646)));
+
+?>
+--EXPECT--
+bool(false)