Fix buffer overflow converting @@IDENTITY in pdo_dblib lastInsertId

iliaal · iliaal · commit 1a5a81ca9f15 · 2026-06-17T07:10:33.000-04:00
dblib_handle_last_id() converted the @@IDENTITY value into a 32-byte buffer with dbconvert()'s destination length set to -1, which disables FreeTDS's destination bounds check. A numeric(p,0) IDENTITY column with precision over ~30 produces a textual form longer than 32 bytes, overflowing the buffer. Size the buffer for the widest @@IDENTITY (numeric(38,0): 38 digits, sign, NUL) and pass the real destination length so dbconvert() stays in bounds, mirroring the explicit-destlen fix already in pdo_dblib_stmt_stringify_col(). Closes GH-22348
diff --git a/ext/pdo_dblib/dblib_driver.c b/ext/pdo_dblib/dblib_driver.c
@@ -267,8 +267,8 @@ zend_string *dblib_handle_last_id(pdo_dbh_t *dbh, const zend_string *name)
 		return NULL;
 	}
 
-	id = emalloc(32);
-	len = dbconvert(NULL, (dbcoltype(H->link, 1)) , (dbdata(H->link, 1)) , (dbdatlen(H->link, 1)), SQLCHAR, (BYTE *)id, (DBINT)-1);
+	id = emalloc(40);
+	len = dbconvert(NULL, (dbcoltype(H->link, 1)) , (dbdata(H->link, 1)) , (dbdatlen(H->link, 1)), SQLCHAR, (BYTE *)id, (DBINT)40);
 	dbcancel(H->link);
 
 	ret_id = zend_string_init(id, len, 0);

Original file line number	Diff line number	Diff line change
`@@ -267,8 +267,8 @@ zend_string dblib_handle_last_id(pdo_dbh_t dbh, const zend_string *name)`
`267`	`267`	`return NULL;`
`268`	`268`	`}`
`269`	`269`
`270`		`- id = emalloc(32);`
`271`		`- len = dbconvert(NULL, (dbcoltype(H->link, 1)) , (dbdata(H->link, 1)) , (dbdatlen(H->link, 1)), SQLCHAR, (BYTE *)id, (DBINT)-1);`
	`270`	`+ id = emalloc(40);`
	`271`	`+ len = dbconvert(NULL, (dbcoltype(H->link, 1)) , (dbdata(H->link, 1)) , (dbdatlen(H->link, 1)), SQLCHAR, (BYTE *)id, (DBINT)40);`
`272`	`272`	`dbcancel(H->link);`
`273`	`273`
`274`	`274`	`ret_id = zend_string_init(id, len, 0);`