harness DBIc_TYPE switch

[rwfranks]

Transcribed verbatim from CPAN RT#87031, warts and all.

Thu Jul 18 17:15:10 2013 rurban [...] x-ray.at - Ticket created
Subject: harness DBIc_TYPE switch

I already added this patch to the other security ticket of mine, but it was never applied.

Handle all allowed cases for DBIc_TYPE(imp), and fail when abused.
As shown in the security case with use-after-free.
Subject: dbi.patch
dbi.patch
Index: DBI.xs

===================================================================
--- DBI.xs	(revision 15622)
+++ DBI.xs	(working copy)
@@ -1369,6 +1369,7 @@
     imp_xxh_t *imp;
     imp_xxh_t *parent_imp;
     int trace_level;
+    int htype;
 
     h      = dbih_inner(aTHX_ orv, "dbih_setup_handle");
     parent = dbih_inner(aTHX_ parent, NULL);    /* check parent valid (& inner) */
@@ -1478,7 +1479,8 @@
             DBIc_LongReadLen(imp) = DBIc_LongReadLen_init;
         }

-        switch (DBIc_TYPE(imp)) {
+	htype = DBIc_TYPE(imp);
+        switch (htype) {
         case DBIt_DB:
             /* cache _inner_ handle, but also see quick_FETCH */
             (void)hv_store((HV*)SvRV(h), "Driver", 6, newRV_inc(SvRV(parent)), 0);
@@ -1492,10 +1494,15 @@
             tmp_svp = hv_fetch((HV*)SvRV(h), "Statement", 9, 1);
             (void)hv_store((HV*)SvRV(parent), "Statement", 9, SvREFCNT_inc(*tmp_svp), 0);
             break;
+	case DBIt_DR:
+	case DBIt_FD:
+            break;
+	default:
+            die("Wrong DBIc_TYPE %d=%s", htype, dbih_htype_name(htype));
         }
     }
     else 
-        die("panic: invalid DBIc_TYPE");
+        die("panic: invalid DBIc_TYPE %d", DBIc_TYPE(imp));
 
     /* Use DBI magic on inner handle to carry handle attributes         */
     /* Note that we store the imp_sv in mg_obj, but as a shortcut,      */