fix oob read on malformed length field in dba flatfile handler

alhudz · alhudz · commit 9f244cea8d6c · 2026-06-10T11:15:01.000+05:30
diff --git a/ext/dba/libflatfile/flatfile.c b/ext/dba/libflatfile/flatfile.c
@@ -112,6 +112,9 @@ int flatfile_delete(flatfile *dba, datum key_datum) {
 		}
 		num = atoi(buf);
 		if (num >= buf_size) {
+			if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {
+				break;
+			}
 			buf_size = num + FLATFILE_BLOCK_SIZE;
 			buf = erealloc(buf, buf_size);
 		}
@@ -135,6 +138,9 @@ int flatfile_delete(flatfile *dba, datum key_datum) {
 		}
 		num = atoi(buf);
 		if (num >= buf_size) {
+			if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {
+				break;
+			}
 			buf_size = num + FLATFILE_BLOCK_SIZE;
 			buf = erealloc(buf, buf_size);
 		}
@@ -162,6 +168,9 @@ int flatfile_findkey(flatfile *dba, datum key_datum) {
 		}
 		num = atoi(buf);
 		if (num >= buf_size) {
+			if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {
+				break;
+			}
 			buf_size = num + FLATFILE_BLOCK_SIZE;
 			buf = erealloc(buf, buf_size);
 		}
@@ -178,6 +187,9 @@ int flatfile_findkey(flatfile *dba, datum key_datum) {
 		}
 		num = atoi(buf);
 		if (num >= buf_size) {
+			if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {
+				break;
+			}
 			buf_size = num + FLATFILE_BLOCK_SIZE;
 			buf = erealloc(buf, buf_size);
 		}
@@ -202,6 +214,9 @@ datum flatfile_firstkey(flatfile *dba) {
 		}
 		num = atoi(buf);
 		if (num >= buf_size) {
+			if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {
+				break;
+			}
 			buf_size = num + FLATFILE_BLOCK_SIZE;
 			buf = erealloc(buf, buf_size);
 		}
@@ -218,6 +233,9 @@ datum flatfile_firstkey(flatfile *dba) {
 		}
 		num = atoi(buf);
 		if (num >= buf_size) {
+			if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {
+				break;
+			}
 			buf_size = num + FLATFILE_BLOCK_SIZE;
 			buf = erealloc(buf, buf_size);
 		}
@@ -244,6 +262,9 @@ datum flatfile_nextkey(flatfile *dba) {
 		}
 		num = atoi(buf);
 		if (num >= buf_size) {
+			if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {
+				break;
+			}
 			buf_size = num + FLATFILE_BLOCK_SIZE;
 			buf = erealloc(buf, buf_size);
 		}
@@ -254,6 +275,9 @@ datum flatfile_nextkey(flatfile *dba) {
 		}
 		num = atoi(buf);
 		if (num >= buf_size) {
+			if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {
+				break;
+			}
 			buf_size = num + FLATFILE_BLOCK_SIZE;
 			buf = erealloc(buf, buf_size);
 		}
diff --git a/ext/dba/tests/dba_flatfile_oob.phpt b/ext/dba/tests/dba_flatfile_oob.phpt
@@ -0,0 +1,31 @@
+--TEST--
+DBA FlatFile handler bounds with a malformed (negative) length field
+--EXTENSIONS--
+dba
+--SKIPIF--
+<?php
+require_once __DIR__ . '/setup/setup_dba_tests.inc';
+check_skip('flatfile');
+?>
+--FILE--
+<?php
+$db_file = __DIR__ . '/dba_flatfile_oob.db';
+// A negative length narrows to a huge size_t and previously overran the read buffer.
+file_put_contents($db_file, "-1\n" . str_repeat('A', 200000));
+
+$db = dba_open($db_file, 'r', 'flatfile');
+var_dump(dba_firstkey($db));
+var_dump(dba_exists("AAAA", $db));
+var_dump(dba_fetch("AAAA", $db));
+dba_close($db);
+echo "done\n";
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/dba_flatfile_oob.db');
+?>
+--EXPECT--
+bool(false)
+bool(false)
+bool(false)
+done

Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,9 @@ int flatfile_delete(flatfile *dba, datum key_datum) {`
`112`	`112`	`}`
`113`	`113`	`num = atoi(buf);`
`114`	`114`	`if (num >= buf_size) {`
	`115`	`+ if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {`
	`116`	`+ break;`
	`117`	`+ }`
`115`	`118`	`buf_size = num + FLATFILE_BLOCK_SIZE;`
`116`	`119`	`buf = erealloc(buf, buf_size);`
`117`	`120`	`}`
`@@ -135,6 +138,9 @@ int flatfile_delete(flatfile *dba, datum key_datum) {`
`135`	`138`	`}`
`136`	`139`	`num = atoi(buf);`
`137`	`140`	`if (num >= buf_size) {`
	`141`	`+ if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {`
	`142`	`+ break;`
	`143`	`+ }`
`138`	`144`	`buf_size = num + FLATFILE_BLOCK_SIZE;`
`139`	`145`	`buf = erealloc(buf, buf_size);`
`140`	`146`	`}`
`@@ -162,6 +168,9 @@ int flatfile_findkey(flatfile *dba, datum key_datum) {`
`162`	`168`	`}`
`163`	`169`	`num = atoi(buf);`
`164`	`170`	`if (num >= buf_size) {`
	`171`	`+ if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {`
	`172`	`+ break;`
	`173`	`+ }`
`165`	`174`	`buf_size = num + FLATFILE_BLOCK_SIZE;`
`166`	`175`	`buf = erealloc(buf, buf_size);`
`167`	`176`	`}`
`@@ -178,6 +187,9 @@ int flatfile_findkey(flatfile *dba, datum key_datum) {`
`178`	`187`	`}`
`179`	`188`	`num = atoi(buf);`
`180`	`189`	`if (num >= buf_size) {`
	`190`	`+ if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {`
	`191`	`+ break;`
	`192`	`+ }`
`181`	`193`	`buf_size = num + FLATFILE_BLOCK_SIZE;`
`182`	`194`	`buf = erealloc(buf, buf_size);`
`183`	`195`	`}`
`@@ -202,6 +214,9 @@ datum flatfile_firstkey(flatfile *dba) {`
`202`	`214`	`}`
`203`	`215`	`num = atoi(buf);`
`204`	`216`	`if (num >= buf_size) {`
	`217`	`+ if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {`
	`218`	`+ break;`
	`219`	`+ }`
`205`	`220`	`buf_size = num + FLATFILE_BLOCK_SIZE;`
`206`	`221`	`buf = erealloc(buf, buf_size);`
`207`	`222`	`}`
`@@ -218,6 +233,9 @@ datum flatfile_firstkey(flatfile *dba) {`
`218`	`233`	`}`
`219`	`234`	`num = atoi(buf);`
`220`	`235`	`if (num >= buf_size) {`
	`236`	`+ if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {`
	`237`	`+ break;`
	`238`	`+ }`
`221`	`239`	`buf_size = num + FLATFILE_BLOCK_SIZE;`
`222`	`240`	`buf = erealloc(buf, buf_size);`
`223`	`241`	`}`
`@@ -244,6 +262,9 @@ datum flatfile_nextkey(flatfile *dba) {`
`244`	`262`	`}`
`245`	`263`	`num = atoi(buf);`
`246`	`264`	`if (num >= buf_size) {`
	`265`	`+ if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {`
	`266`	`+ break;`
	`267`	`+ }`
`247`	`268`	`buf_size = num + FLATFILE_BLOCK_SIZE;`
`248`	`269`	`buf = erealloc(buf, buf_size);`
`249`	`270`	`}`
`@@ -254,6 +275,9 @@ datum flatfile_nextkey(flatfile *dba) {`
`254`	`275`	`}`
`255`	`276`	`num = atoi(buf);`
`256`	`277`	`if (num >= buf_size) {`
	`278`	`+ if (num > SIZE_MAX - FLATFILE_BLOCK_SIZE) {`
	`279`	`+ break;`
	`280`	`+ }`
`257`	`281`	`buf_size = num + FLATFILE_BLOCK_SIZE;`
`258`	`282`	`buf = erealloc(buf, buf_size);`
`259`	`283`	`}`