=== Vulnerability ===  

PHP 5.3.3 (Possible All versions) ibase_gen_id() off-by-one overflow  

   

=== Author ===  

cb  

   

=== Description ===  

User-supplied variable "generator" copied to 128 byte buffer "query"  

size of query variable. So  

its cause off-by-one overflow. You can see [1] snprintf copy statement  

to "query" variable.  

   

/* {{{ proto int ibase_gen_id(string generator [, int increment [,  

resource link_identifier ]])  

   Increments the named generator and returns its new value */  

PHP_FUNCTION(ibase_gen_id)  

{  

    zval *link = NULL;  

    char query[128], *generator;  

    int gen_len;  

    long inc = 1;  

    ibase_db_link *ib_link;  

    ibase_trans *trans = NULL;  

    XSQLDA out_sqlda;  

    ISC_INT64 result;  

   

    RESET_ERRMSG;  

   

    if (FAILURE == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC,  

"s|lr", &generator, &gen_len,  

            &inc, &link)) {  

        RETURN_FALSE;  

    }  

   

    PHP_IBASE_LINK_TRANS(link, ib_link, trans);  

      

    [1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM  

rdb$database", generator, inc);  

...  

}     

   

=== Patch ===  

    Replace [1] with [2].  

      

    --- [1] snprintf(query, sizeof(query), "SELECT GEN_ID(%s,%ld) FROM  

rdb$database", generator, inc);  

    +++ [2] snprintf(query, sizeof(query) - 1  "SELECT GEN_ID(%s,%ld)  

FROM rdb$database", generator, inc);  

   

===========================================================================  

Download:  

856K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2^5M7r3I4G2K9i4c8Q4x3X3c8V1j5W2)9J5k6h3y4G2L8g2)9J5c8Y4y4H3L8r3!0A6N6s2y4Q4x3V1k6A6j5X3q4K6k6g2)9#2k6X3N6W2L8W2)9#2k6X3W2V1i4K6g2X3M7r3!0U0i4K6u0W2P5X3W2H3

[培训]科锐逆向工程师培训第53期2025年7月8日开班！