Commit 1a5a81ca9f1 for php.net

commit 1a5a81ca9f15d1d46d9b705e2f66aec4e9d41cc0
Author: Ilia Alshanetsky <ilia@ilia.ws>
Date:   Tue Jun 16 16:28:31 2026 -0400

    Fix buffer overflow converting @@IDENTITY in pdo_dblib lastInsertId

    dblib_handle_last_id() converted the @@IDENTITY value into a 32-byte
    buffer with dbconvert()'s destination length set to -1, which disables
    FreeTDS's destination bounds check. A numeric(p,0) IDENTITY column with
    precision over ~30 produces a textual form longer than 32 bytes,
    overflowing the buffer. Size the buffer for the widest @@IDENTITY
    (numeric(38,0): 38 digits, sign, NUL) and pass the real destination
    length so dbconvert() stays in bounds, mirroring the explicit-destlen
    fix already in pdo_dblib_stmt_stringify_col().

    Closes GH-22348

diff --git a/ext/pdo_dblib/dblib_driver.c b/ext/pdo_dblib/dblib_driver.c
index 00ecf2d232c..d1d849168ba 100644
--- a/ext/pdo_dblib/dblib_driver.c
+++ b/ext/pdo_dblib/dblib_driver.c
@@ -267,8 +267,8 @@ zend_string *dblib_handle_last_id(pdo_dbh_t *dbh, const zend_string *name)
 		return NULL;
 	}

-	id = emalloc(32);
-	len = dbconvert(NULL, (dbcoltype(H->link, 1)) , (dbdata(H->link, 1)) , (dbdatlen(H->link, 1)), SQLCHAR, (BYTE *)id, (DBINT)-1);
+	id = emalloc(40);
+	len = dbconvert(NULL, (dbcoltype(H->link, 1)) , (dbdata(H->link, 1)) , (dbdatlen(H->link, 1)), SQLCHAR, (BYTE *)id, (DBINT)40);
 	dbcancel(H->link);

 	ret_id = zend_string_init(id, len, 0);