Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref

bukka · bukka · commit ecf82e74b6e0 · 2025-12-12T11:55:39.000+01:00
diff --git a/ext/pdo/pdo_sql_parser.re b/ext/pdo/pdo_sql_parser.re
@@ -287,6 +287,12 @@ safe:
 							}
 
 							plc->quoted = stmt->dbh->methods->quoter(stmt->dbh, buf, param_type);
+							if (plc->quoted == NULL) {
+								/* bork */
+								ret = -1;
+								strncpy(stmt->error_code, stmt->dbh->error_code, 6);
+								goto clean_up;
+							}
 						}
 					}
 
diff --git a/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt b/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt
@@ -0,0 +1,28 @@
+--TEST--
+#GHSA-8xr5-qppj-gvwj: NULL Pointer Derefernce for failed user input quoting
+--EXTENSIONS--
+pdo
+pdo_pgsql
+--SKIPIF--
+<?php
+require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
+require_once dirname(__FILE__) . '/config.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
+require_once dirname(__FILE__) . '/config.inc';
+$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt');
+$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, true);
+
+$sql = "SELECT * FROM users where username = :username";
+$stmt = $db->prepare($sql);
+
+$p1 = "alice\x99";
+var_dump($stmt->execute(['username' => $p1]));
+
+?>
+--EXPECT--
+bool(false)

Original file line number	Diff line number	Diff line change
`@@ -287,6 +287,12 @@ safe:`
`287`	`287`	`}`
`288`	`288`
`289`	`289`	`plc->quoted = stmt->dbh->methods->quoter(stmt->dbh, buf, param_type);`
	`290`	`+ if (plc->quoted == NULL) {`
	`291`	`+ /* bork */`
	`292`	`+ ret = -1;`
	`293`	`+ strncpy(stmt->error_code, stmt->dbh->error_code, 6);`
	`294`	`+ goto clean_up;`
	`295`	`+ }`
`290`	`296`	`}`
`291`	`297`	`}`
`292`	`298`