connectivity/source/drivers/firebird/ResultSet.cxx | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
New commits:
commit 2e5dad443a30055d93dbcb3bf9cac906e80b2e25
Author: Mike Kaganski <mike.kagan...@collabora.com>
AuthorDate: Wed Sep 1 17:41:05 2021 +0200
Commit: Mike Kaganski <mike.kagan...@collabora.com>
CommitDate: Thu Sep 2 06:11:08 2021 +0200
tdf#144230: sanitize string length embedded in SQL_VARYING data
It is unclear why the length may be wrong; but at least be safe to
avoid buffer overruns.
Wrt the validity of sqllen here: see SQLDAMetadata::scatterData in
firebird's src/yvalve/why.cpp.
Change-Id: Icc24c1cc0db66c20732188ab0621cde53c1ba5c2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/121458
Tested-by: Jenkins
Reviewed-by: Mike Kaganski <mike.kagan...@collabora.com>
diff --git a/connectivity/source/drivers/firebird/ResultSet.cxx
b/connectivity/source/drivers/firebird/ResultSet.cxx
index 0e0361a7bbd8..17e87cf8a55d 100644
--- a/connectivity/source/drivers/firebird/ResultSet.cxx
+++ b/connectivity/source/drivers/firebird/ResultSet.cxx
@@ -579,10 +579,11 @@ OUString OResultSet::retrieveValue(const sal_Int32
nColumnIndex, const ISC_SHORT
else if (aSqlType == SQL_VARYING)
{
// First 2 bytes are a short containing the length of the string
- // No idea if sqllen is still valid here?
+ // Under unclear conditions, it may be wrong and greater than sqllen.
sal_uInt16 aLength =
*reinterpret_cast<sal_uInt16*>(m_pSqlda->sqlvar[nColumnIndex-1].sqldata);
+ // Use greater signed type sal_Int32 to get the minimum of two 16-bit
values
return OUString(m_pSqlda->sqlvar[nColumnIndex-1].sqldata + 2,
- aLength,
+ std::min<sal_Int32>(aLength,
m_pSqlda->sqlvar[nColumnIndex-1].sqllen),
RTL_TEXTENCODING_UTF8);
}
else if ((aSqlType == SQL_SHORT || aSqlType == SQL_LONG ||
