From f689413d82dd5755661c8d779127bb41fe4f22a9 Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Tue, 16 Jun 2026 16:28:31 -0400 Subject: [PATCH] Fix buffer overflow converting @@IDENTITY in pdo_dblib lastInsertId dblib_handle_last_id() converted the @@IDENTITY value into a 32-byte buffer with dbconvert()'s destination length set to -1, which disables FreeTDS's destination bounds check. A numeric(p,0) IDENTITY column with precision over ~30 produces a textual form longer than 32 bytes, overflowing the buffer. Size the buffer for the widest @@IDENTITY (numeric(38,0): 38 digits, sign, NUL) and pass the real destination length so dbconvert() stays in bounds, mirroring the explicit-destlen fix already in pdo_dblib_stmt_stringify_col(). --- ext/pdo_dblib/dblib_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/pdo_dblib/dblib_driver.c b/ext/pdo_dblib/dblib_driver.c index 0055dcb03b3c..2dca55baeedc 100644 --- a/ext/pdo_dblib/dblib_driver.c +++ b/ext/pdo_dblib/dblib_driver.c @@ -267,8 +267,8 @@ zend_string *dblib_handle_last_id(pdo_dbh_t *dbh, const zend_string *name) return NULL; } - id = emalloc(32); - len = dbconvert(NULL, (dbcoltype(H->link, 1)) , (dbdata(H->link, 1)) , (dbdatlen(H->link, 1)), SQLCHAR, (BYTE *)id, (DBINT)-1); + id = emalloc(40); + len = dbconvert(NULL, (dbcoltype(H->link, 1)) , (dbdata(H->link, 1)) , (dbdatlen(H->link, 1)), SQLCHAR, (BYTE *)id, (DBINT)40); dbcancel(H->link); ret_id = zend_string_init(id, len, 0);