Date: prev next · Thread: first prev next last
2012 Archives by date, by thread · List index 

Yet another odbc on 64 bit crash because of wrong buffer size. This is
supposed to be a SQLLEN but was hardcoded as 4 bytes.

You can see that e.g. in
connectivity/source/drivers/odbcbase/OPreparedStatement.cxx,
OPreparedStatement::setNull:

    sal_Int8* lenBuf = getLengthBuf (parameterIndex);
    *(SQLLEN*)lenBuf = SQL_NULL_DATA;

getLengthBuf just returns the paramLength member of the corresponding
OBoundParam.

On my machine in my (debug) build, that (or maybe some other piece of
code, such as
  line 875:  memcpy (lenBuf, &atExec, sizeof (atExec));
  line 882:      N3SQLBindParameter(m_aStatementHandle,
                        (SQLUSMALLINT)ParameterIndex,
                        (SQLUSMALLINT)SQL_PARAM_INPUT,
                        Ctype,
                        (SQLSMALLINT)SQLtype,
                        (SQLULEN)length,
                        0,
                        dataBuf,
                        sizeof(ParameterIndex),
                        (SQLLEN*)lenBuf);
)
would overwrite malloc's metadata, and thus in the OBoundParameter destructor:
    delete [] paramLength;
would call abort() because "bad pointer".

Please apply to libreoffice-3-4 and libreoffice-3-5.

Thanks,

BTW, even after "export MALLOC_CHECK_=3", I wouldn't get free() to
properly complain on stderr, gdb showed malloc_printerr called with
action=2 instead of action=3. Quid?

-- 
Lionel

From 84d21e4de26bd69f7ca5b10f2c72779f07e11347 Mon Sep 17 00:00:00 2001
From: Lionel Elie Mamane <lionel@mamane.lu>
Date: Tue, 14 Feb 2012 14:54:03 +0100
Subject: [PATCH] odbc 64 bit crash: correct buffer length allocation for a
 SQLLEN

---
 connectivity/source/inc/odbc/OBoundParam.hxx |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/connectivity/source/inc/odbc/OBoundParam.hxx 
b/connectivity/source/inc/odbc/OBoundParam.hxx
index 2310a2e..99a4901 100644
--- a/connectivity/source/inc/odbc/OBoundParam.hxx
+++ b/connectivity/source/inc/odbc/OBoundParam.hxx
@@ -68,7 +68,7 @@ namespace connectivity
                 // to a Java sal_Int32.  The jdbcodbc 'C' bridge provides an
                 // interface to do this.
 
-                paramLength = new sal_Int8[4];
+                paramLength = new sal_Int8[sizeof(SQLLEN)];
             }
 
             //--------------------------------------------------------------------
-- 
1.7.7.3

Context

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.