Fix GHSA-h35g-vwh6-m678: Mysqlnd - various heap buffer over-reads

This fixes issues causing buffer over-read that leak heap content:
- RESP packet field default left over for COM_LIST
- RESP packet upsert filename
- OK packet message
- RESP packet for stmt row data
  - ps_fetch_from_1_to_8_bytes
  - ps_fetch_float
  - ps_fetch_double
  - ps_fetch_time
  - ps_fetch_date
  - ps_fetch_datetime
  - ps_fetch_string
  - ps_fetch_bit
- RESP packet for query row data (just possible overflow on 32bit)

It also adds various protocol tests using a new fake server.

Author: bukka

ext/mysqli/tests/fake_server.inc

@@ -0,0 +1,38 @@
+--TEST--
+GHSA-h35g-vwh6-m678 (mysqlnd leaks partial content of the heap - auth message buffer over-read)
+--EXTENSIONS--
+mysqli
+--FILE--
+<?php
+require_once 'fake_server.inc';
+
+$port = 50001;
+$servername = "127.0.0.1";
+$username = "root";
+$password = "";
+
+$process = run_fake_server_in_background('auth_response_message_over_read', $port);
+$process->wait();
+
+try {
+    $conn = new mysqli( $servername, $username, $password, "", $port );
+    $info = mysqli_info($conn);
+    var_dump($info);
+} catch (Exception $e) {
+    echo $e->getMessage() . PHP_EOL;
+}
+
+$process->terminate();
+
+print "done!";
+?>
+--EXPECTF--
+[*] Server started
+[*] Connection established
+[*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
+[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Sending - Malicious OK Auth Response [Extract heap through buffer over-read]: 0900000200000002000000fcff
+
+Warning: mysqli::__construct(): OK packet message length is past the packet size in %s on line %d
+Unknown error while trying to connect via tcp://127.0.0.1:50001
+done!

ext/mysqli/tests/ghsa-h35g-vwh6-m678-auth-message.phpt

@@ -0,0 +1,47 @@
+--TEST--
+GHSA-h35g-vwh6-m678 (mysqlnd leaks partial content of the heap - tabular default)
+--EXTENSIONS--
+mysqli
+--FILE--
+<?php
+require_once 'fake_server.inc';
+
+
+$port = 33305;
+$servername = "127.0.0.1";
+$username = "root";
+$password = "";
+
+$process = run_fake_server_in_background('tabular_response_def_over_read', $port);
+$process->wait();
+
+$conn = new mysqli($servername, $username, $password, "", $port);
+
+echo "[*] Running query on the fake server...\n";
+
+$result = $conn->query("SELECT * from users");
+
+if ($result) {
+    $all_fields = $result->fetch_fields();
+    var_dump($result->fetch_all(MYSQLI_ASSOC));
+    var_dump(get_object_vars($all_fields[0])["def"]);
+}
+
+$conn->close();
+
+$process->terminate();
+
+print "done!";
+?>
+--EXPECTF--
+[*] Server started
+[*] Connection established
+[*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
+[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Sending - Server OK: 0700000200000002000000
+[*] Running query on the fake server...
+[*] Received: 140000000353454c454354202a2066726f6d207573657273
+[*] Sending - Malicious Tabular Response [Extract heap through buffer over-read]: 01000001011e0000020164016401640164016401640c3f000b000000030350000000fd000001aa05000003fe00002200040000040135017405000005fe00002200
+
+Warning: mysqli::query(): Protocol error. Server sent default for unsupported field list (mysqlnd_wireprotocol.c:%d) in %s on line %d
+done!

ext/mysqli/tests/ghsa-h35g-vwh6-m678-def.phpt

@@ -0,0 +1,43 @@
+--TEST--
+GHSA-h35g-vwh6-m678 (mysqlnd leaks partial content of the heap - upsert filename buffer over-read)
+--EXTENSIONS--
+mysqli
+--FILE--
+<?php
+require_once 'fake_server.inc';
+
+$port = 33305;
+$servername = "127.0.0.1";
+$username = "root";
+$password = "";
+
+$process = run_fake_server_in_background('upsert_response_filename_over_read', $port);
+$process->wait();
+
+$conn = new mysqli($servername, $username, $password, "", $port);
+echo "[*] Running query on the fake server...\n";
+
+$result = $conn->query("SELECT * from users");
+$info = mysqli_info($conn);
+
+var_dump($info);
+
+$process->terminate();
+
+print "done!";
+?>
+--EXPECTF--
+[*] Server started
+[*] Connection established
+[*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
+[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Sending - Server OK: 0700000200000002000000
+[*] Running query on the fake server...
+[*] Received: 140000000353454c454354202a2066726f6d207573657273
+[*] Sending - Malicious Tabular Response [Extract heap through buffer over-read]: 0900000100000000000000fa65
+
+Warning: mysqli::query(): RSET_HEADER packet additional data length is past 249 bytes the packet size in %s on line %d
+
+Warning: mysqli::query(): Error reading result set's header in %s on line %d
+NULL
+done!

ext/mysqli/tests/ghsa-h35g-vwh6-m678-filename.phpt

@@ -0,0 +1,48 @@
+--TEST--
+GHSA-h35g-vwh6-m678 (mysqlnd leaks partial content of the heap - stmt row no space for the field)
+--EXTENSIONS--
+mysqli
+--FILE--
+<?php
+require_once 'fake_server.inc';
+
+$port = 33305;
+$servername = "127.0.0.1";
+$username = "root";
+$password = "";
+
+$process = run_fake_server_in_background('query_response_row_length_overflow', $port);
+$process->wait();
+
+$conn = new mysqli($servername, $username, $password, "", $port);
+
+echo "[*] Query the fake server...\n";
+$sql = "SELECT strval, strval FROM data";
+
+$result = $conn->query($sql);
+
+if ($result->num_rows > 0) {
+    while ($row = $result->fetch_assoc()) {
+        var_dump($row['strval']);
+    }
+}
+$conn->close();
+
+$process->terminate(true);
+
+print "done!";
+?>
+--EXPECTF--
+[*] Server started
+[*] Connection established
+[*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
+[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Sending - Server OK: 0700000200000002000000
+[*] Query the fake server...
+[*] Received: 200000000353454c4543542073747276616c2c2073747276616c2046524f4d2064617461
+[*] Sending - Malicious Query Response for data strval field [length overflow]: 01000001023200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd011000000005000004fe000022000a0000050474657374fefefefefe05000006fe00002200
+
+Warning: mysqli_result::fetch_assoc(): Malformed server packet. Field length pointing after end of packet in %s on line %d
+[*] Received: 0100000001
+[*] Server finished
+done!

ext/mysqli/tests/ghsa-h35g-vwh6-m678-query-len-overflow.phpt

@@ -0,0 +1,53 @@
+--TEST--
+GHSA-h35g-vwh6-m678 (mysqlnd leaks partial content of the heap - stmt row bit buffer over-read)
+--EXTENSIONS--
+mysqli
+--FILE--
+<?php
+require_once 'fake_server.inc';
+
+$port = 33305;
+$servername = "127.0.0.1";
+$username = "root";
+$password = "";
+
+$process = run_fake_server_in_background('stmt_response_row_over_read_bit', $port);
+$process->wait();
+
+$conn = new mysqli($servername, $username, $password, "", $port);
+
+echo "[*] Preparing statement on the fake server...\n";
+$stmt = $conn->prepare("SELECT bitval, timval FROM data");
+
+$stmt->execute();
+$result = $stmt->get_result();
+
+// Fetch and display the results
+if ($result->num_rows > 0) {
+    while ($row = $result->fetch_assoc()) {
+        var_dump($row["bitval"]);
+    }
+}
+$stmt->close();
+$conn->close();
+
+$process->terminate(true);
+
+print "done!";
+?>
+--EXPECTF--
+[*] Server started
+[*] Connection established
+[*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
+[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Sending - Server OK: 0700000200000002000000
+[*] Preparing statement on the fake server...
+[*] Received: 200000001653454c4543542062697476616c2c2074696d76616c2046524f4d2064617461
+[*] Sending - Stmt prepare data bitval: 0c0000010001000000020000000000003200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f74657374046461746104646174610662697476616c0662697476616c0c3f004000000010211000000005000004fe00000200
+[*] Received: 0a00000017010000000001000000
+[*] Sending - Malicious Stmt Response for data bitval [Extract heap through buffer over-read]: 01000001023200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f74657374046461746104646174610662697476616c0662697476616c0c3f004000000010211000000005000004fe00002200100000050000067465737408080808080808080805000006fe00002200
+
+Warning: mysqli_result::fetch_assoc(): Malformed server packet. Field length pointing after the end of packet in %s on line %d
+[*] Received: 0500000019010000000100000001
+[*] Server finished
+done!

ext/mysqli/tests/ghsa-h35g-vwh6-m678-stmt-row-bit.phpt

@@ -0,0 +1,53 @@
+--TEST--
+GHSA-h35g-vwh6-m678 (mysqlnd leaks partial content of the heap - stmt row date buffer over-read)
+--EXTENSIONS--
+mysqli
+--FILE--
+<?php
+require_once 'fake_server.inc';
+
+$port = 33305;
+$servername = "127.0.0.1";
+$username = "root";
+$password = "";
+
+$process = run_fake_server_in_background('stmt_response_row_over_read_date', $port);
+$process->wait();
+
+$conn = new mysqli($servername, $username, $password, "", $port);
+
+echo "[*] Preparing statement on the fake server...\n";
+$stmt = $conn->prepare("SELECT strval, datval FROM data");
+
+$stmt->execute();
+$result = $stmt->get_result();
+
+// Fetch and display the results
+if ($result->num_rows > 0) {
+    while ($row = $result->fetch_assoc()) {
+        var_dump($row["datval"]);
+    }
+}
+$stmt->close();
+$conn->close();
+
+$process->terminate(true);
+
+print "done!";
+?>
+--EXPECTF--
+[*] Server started
+[*] Connection established
+[*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
+[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Sending - Server OK: 0700000200000002000000
+[*] Preparing statement on the fake server...
+[*] Received: 200000001653454c4543542073747276616c2c2064617476616c2046524f4d2064617461
+[*] Sending - Stmt prepare data datval: 0c0000010001000000020000000000003200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f74657374046461746104646174610664617476616c0664617476616c0c3f000a0000000a811000000005000004fe00000200
+[*] Received: 0a00000017010000000001000000
+[*] Sending - Malicious Stmt Response for data datval [Extract heap through buffer over-read]: 01000001023200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f74657374046461746104646174610664617476616c0664617476616c0c3f000a0000000a811000000005000004fe000022000c0000050000067465737404de070c0f05000006fe00002200
+
+Warning: mysqli_result::fetch_assoc(): Malformed server packet. Field length pointing after the end of packet in %s on line %d
+[*] Received: 0500000019010000000100000001
+[*] Server finished
+done!

ext/mysqli/tests/ghsa-h35g-vwh6-m678-stmt-row-date.phpt

@@ -0,0 +1,53 @@
+--TEST--
+GHSA-h35g-vwh6-m678 (mysqlnd leaks partial content of the heap - stmt row datetime buffer over-read)
+--EXTENSIONS--
+mysqli
+--FILE--
+<?php
+require_once 'fake_server.inc';
+
+$port = 33305;
+$servername = "127.0.0.1";
+$username = "root";
+$password = "";
+
+$process = run_fake_server_in_background('stmt_response_row_over_read_datetime', $port);
+$process->wait();
+
+$conn = new mysqli($servername, $username, $password, "", $port);
+
+echo "[*] Preparing statement on the fake server...\n";
+$stmt = $conn->prepare("SELECT strval, dtival FROM data");
+
+$stmt->execute();
+$result = $stmt->get_result();
+
+// Fetch and display the results
+if ($result->num_rows > 0) {
+    while ($row = $result->fetch_assoc()) {
+        var_dump($row["dtival"]);
+    }
+}
+$stmt->close();
+$conn->close();
+
+$process->terminate(true);
+
+print "done!";
+?>
+--EXPECTF--
+[*] Server started
+[*] Connection established
+[*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
+[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Sending - Server OK: 0700000200000002000000
+[*] Preparing statement on the fake server...
+[*] Received: 200000001653454c4543542073747276616c2c2064746976616c2046524f4d2064617461
+[*] Sending - Stmt prepare data dtival: 0c0000010001000000020000000000003200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f74657374046461746104646174610664746976616c0664746976616c0c3f00130000000c811000000005000004fe00000200
+[*] Received: 0a00000017010000000001000000
+[*] Sending - Malicious Stmt Response for data dtival [Extract heap through buffer over-read]: 01000001023200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f74657374046461746104646174610664746976616c0664746976616c0c3f00130000000c811000000005000004fe000022000f0000050000067465737407de070c100d000105000006fe00002200
+
+Warning: mysqli_result::fetch_assoc(): Malformed server packet. Field length pointing after the end of packet in %s on line %d
+[*] Received: 0500000019010000000100000001
+[*] Server finished
+done!

ext/mysqli/tests/ghsa-h35g-vwh6-m678-stmt-row-datetime.phpt

@@ -0,0 +1,53 @@
+--TEST--
+GHSA-h35g-vwh6-m678 (mysqlnd leaks partial content of the heap - stmt row double buffer over-read)
+--EXTENSIONS--
+mysqli
+--FILE--
+<?php
+require_once 'fake_server.inc';
+
+$port = 33305;
+$servername = "127.0.0.1";
+$username = "root";
+$password = "";
+
+$process = run_fake_server_in_background('stmt_response_row_over_read_double', $port);
+$process->wait();
+
+$conn = new mysqli($servername, $username, $password, "", $port);
+
+echo "[*] Preparing statement on the fake server...\n";
+$stmt = $conn->prepare("SELECT strval, dblval FROM data");
+
+$stmt->execute();
+$result = $stmt->get_result();
+
+// Fetch and display the results
+if ($result->num_rows > 0) {
+    while ($row = $result->fetch_assoc()) {
+        var_dump($row["dblval"]);
+    }
+}
+$stmt->close();
+$conn->close();
+
+$process->terminate(true);
+
+print "done!";
+?>
+--EXPECTF--
+[*] Server started
+[*] Connection established
+[*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
+[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Sending - Server OK: 0700000200000002000000
+[*] Preparing statement on the fake server...
+[*] Received: 200000001653454c4543542073747276616c2c2064626c76616c2046524f4d2064617461
+[*] Sending - Stmt prepare data dblval: 0c0000010001000000020000000000003200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f74657374046461746104646174610664626c76616c0664626c76616c0c3f00160000000501101f000005000004fe00000200
+[*] Received: 0a00000017010000000001000000
+[*] Sending - Malicious Stmt Response for data dblval [Extract heap through buffer over-read]: 01000001023200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f74657374046461746104646174610664626c76616c0664626c76616c0c3f00160000000501101f000005000004fe000022000f00000500000674657374333333333333f33f05000006fe00002200
+
+Warning: mysqli_result::fetch_assoc(): Malformed server packet. Field length pointing after the end of packet in %s on line %d
+[*] Received: 0500000019010000000100000001
+[*] Server finished
+done!