From 2054da60abd5d059355fadfa886cc542b3af0b2c Mon Sep 17 00:00:00 2001
From: Andrey Kovalev <ded@altlinux.org>
Date: Mon, 26 May 2025 19:18:57 +0300
Subject: [PATCH] ext/mysqlnd/mysqlnd_auth.c: Add error handling for invalid
 public key size

Reported-by: Pavel Nekrasov <p.nekrasov@fobos-nt.ru>
Signed-off-by: Andrey Kovalev <ded@altlinux.org>
---
 ext/mysqlnd/mysqlnd_auth.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ext/mysqlnd/mysqlnd_auth.c b/ext/mysqlnd/mysqlnd_auth.c
index b8a23f87c663e..691375b1a6959 100644
--- a/ext/mysqlnd/mysqlnd_auth.c
+++ b/ext/mysqlnd/mysqlnd_auth.c
@@ -1005,9 +1005,19 @@ void php_mysqlnd_scramble_sha2(zend_uchar * const buffer, const zend_uchar * con
 static size_t
 mysqlnd_caching_sha2_public_encrypt(MYSQLND_CONN_DATA * conn, mysqlnd_rsa_t server_public_key, size_t passwd_len, unsigned char **crypted, char *xor_str)
 {
-	size_t server_public_key_len = (size_t) EVP_PKEY_size(server_public_key);
-
 	DBG_ENTER("mysqlnd_caching_sha2_public_encrypt");
+
+	int pkey_size = EVP_PKEY_size(server_public_key);
+
+	if (pkey_size <= 0) {
+		EVP_PKEY_free(server_public_key);
+		SET_CLIENT_ERROR(conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, "invalid public key size");
+		DBG_ERR("invalid public key size");
+		DBG_RETURN(0);
+	}
+
+	size_t server_public_key_len = (size_t) pkey_size;
+
 	/*
 		Because RSA_PKCS1_OAEP_PADDING is used there is a restriction on the passwd_len.
 		RSA_PKCS1_OAEP_PADDING is recommended for new applications. See more here: