Dmitrii Zabotlin created IGNITE-21556:
-----------------------------------------
Summary: ODBC 3.0: Use after free in SQLExecDirect
Key: IGNITE-21556
URL: https://issues.apache.org/jira/browse/IGNITE-21556
Project: Ignite
Issue Type: Bug
Components: platforms
Affects Versions: 3.0
Reporter: Dmitrii Zabotlin
There is a use-after-free bug in the ODBC platforms code.
Steps to reproduce:
1. Execute query with parameters previously bound.
2. Execute another query on top of the same statement without parameters (for
example, SELECT).
If previous parameter arrays are already freed crash will occur here:
{code:java}
void parameter::reset_stored_data() {
m_stored_data.clear();
if (m_buffer.is_data_at_exec())
m_stored_data.reserve(m_buffer.get_data_at_exec_size());
} {code}
Method is_data_at_exec reads buffer content:
{code:java}
bool application_data_buffer::is_data_at_exec() const {
const SQLLEN *res_len_ptr = get_result_len();
if (!res_len_ptr)
return false;
auto s_len = static_cast<std::int32_t>(*res_len_ptr);
return s_len <= SQL_LEN_DATA_AT_EXEC_OFFSET || s_len == SQL_DATA_AT_EXEC;
}{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
