[PATCH] [REVIEW:3-5,3-4] odbc 64 bits crash

Tue, 14 Feb 2012 06:37:27 -0800 

Yet another odbc on 64 bit crash because of wrong buffer size. This is
supposed to be a SQLLEN but was hardcoded as 4 bytes.

You can see that e.g. in
connectivity/source/drivers/odbcbase/OPreparedStatement.cxx,
OPreparedStatement::setNull:

    sal_Int8* lenBuf = getLengthBuf (parameterIndex);
    *(SQLLEN*)lenBuf = SQL_NULL_DATA;

getLengthBuf just returns the paramLength member of the corresponding
OBoundParam.

On my machine in my (debug) build, that (or maybe some other piece of
code, such as
  line 875:  memcpy (lenBuf, &atExec, sizeof (atExec));
  line 882:      N3SQLBindParameter(m_aStatementHandle,
                        (SQLUSMALLINT)ParameterIndex,
                        (SQLUSMALLINT)SQL_PARAM_INPUT,
                        Ctype,
                        (SQLSMALLINT)SQLtype,
                        (SQLULEN)length,
                        0,
                        dataBuf,
                        sizeof(ParameterIndex),
                        (SQLLEN*)lenBuf);
)
would overwrite malloc's metadata, and thus in the OBoundParameter destructor:
    delete [] paramLength;
would call abort() because "bad pointer".

Please apply to libreoffice-3-4 and libreoffice-3-5.

Thanks,

BTW, even after "export MALLOC_CHECK_=3", I wouldn't get free() to
properly complain on stderr, gdb showed malloc_printerr called with
action=2 instead of action=3. Quid?

-- 
Lionel

>From 84d21e4de26bd69f7ca5b10f2c72779f07e11347 Mon Sep 17 00:00:00 2001
From: Lionel Elie Mamane <lio...@mamane.lu>
Date: Tue, 14 Feb 2012 14:54:03 +0100
Subject: [PATCH] odbc 64 bit crash: correct buffer length allocation for a
 SQLLEN

---
 connectivity/source/inc/odbc/OBoundParam.hxx |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/connectivity/source/inc/odbc/OBoundParam.hxx b/connectivity/source/inc/odbc/OBoundParam.hxx
index 2310a2e..99a4901 100644
--- a/connectivity/source/inc/odbc/OBoundParam.hxx
+++ b/connectivity/source/inc/odbc/OBoundParam.hxx
@@ -68,7 +68,7 @@ namespace connectivity
                 // to a Java sal_Int32.  The jdbcodbc 'C' bridge provides an
                 // interface to do this.
 
-                paramLength = new sal_Int8[4];
+                paramLength = new sal_Int8[sizeof(SQLLEN)];
             }
 
             //--------------------------------------------------------------------
-- 
1.7.7.3


_______________________________________________
LibreOffice mailing list
LibreOffice@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice

Reply via email to