Fix signed dbconvert() return stored into size_t in dblib lastInsertId

dblib_handle_last_id() stored the DBINT return of dbconvert() into a
size_t len. dbconvert() returns -1 on conversion failure, which
sign-extends to SIZE_MAX and is passed as the length to
zend_string_init(), reading far past the 40-byte buffer and requesting a
SIZE_MAX allocation. Hold the result in a DBINT and bail on a negative
return, matching the failure-returns-NULL handling already used for
dbresults()/dbnextrow()/dbdatlen() earlier in the function.

Closes GH-22428

Author: iliaal

ext/pdo_dblib/dblib_driver.c

@@ -234,7 +234,7 @@ zend_string *dblib_handle_last_id(pdo_dbh_t *dbh, const zend_string *name)
 
 	RETCODE ret;
 	char *id = NULL;
-	size_t len;
+	DBINT len;
 	zend_string *ret_id;
 
 	/*
@@ -271,6 +271,11 @@ zend_string *dblib_handle_last_id(pdo_dbh_t *dbh, const zend_string *name)
 	len = dbconvert(NULL, (dbcoltype(H->link, 1)) , (dbdata(H->link, 1)) , (dbdatlen(H->link, 1)), SQLCHAR, (BYTE *)id, (DBINT)40);
 	dbcancel(H->link);
 
+	if (len < 0) {
+		efree(id);
+		return NULL;
+	}
+
 	ret_id = zend_string_init(id, len, 0);
 	efree(id);
 	return ret_id;