Fix GHSA-5hqh-c84r-qjcv: Integer overflow in the dblib quoter causing OOB writes

(cherry picked from commit d9baa9fed8c3ba692a36b388c0c7762e5102e2e0)

Author: nielsdos

ext/pdo_dblib/dblib_driver.c

@@ -152,6 +152,7 @@ static int dblib_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unqu
 
 	size_t i;
 	char * q;
+	size_t extralen = 0;
 	*quotedlen = 0;
 
 	if (H->assume_national_character_set_strings) {
@@ -166,14 +167,19 @@ static int dblib_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unqu
 
 	/* Detect quoted length, adding extra char for doubled single quotes */
 	for (i = 0; i < unquotedlen; i++) {
-		if (unquoted[i] == '\'') ++*quotedlen;
+		if (unquoted[i] == '\'') ++extralen;
 		++*quotedlen;
 	}
 
 	*quotedlen += 2; /* +2 for opening, closing quotes */
 	if (use_national_character_set) {
 		++*quotedlen; /* N prefix */
 	}
+	if (UNEXPECTED(*quotedlen > ZSTR_MAX_LEN - extralen)) {
+		return 0;
+	}
+
+	*quotedlen += extralen;
 	q = *quoted = emalloc(*quotedlen + 1); /* Add byte for terminal null */
 	if (use_national_character_set) {
 		*q++ = 'N';

ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt

@@ -0,0 +1,24 @@
+--TEST--
+GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB writes)
+--EXTENSIONS--
+pdo_dblib
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 4) die("skip for 32bit platforms only");
+if (PHP_OS_FAMILY === "Windows") die("skip not for Windows because the virtual address space for application is only 2GiB");
+if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
+require __DIR__ . '/config.inc';
+getDbConnection();
+?>
+--INI--
+memory_limit=-1
+--FILE--
+<?php
+
+require __DIR__ . '/config.inc';
+$db = getDbConnection();
+var_dump($db->quote(str_repeat("'", 2147483646)));
+
+?>
+--EXPECT--
+bool(false)