On 14/02/12 15:37, Lionel Elie Mamane wrote:
Yet another odbc on 64 bit crash because of wrong buffer size. This is supposed to be a SQLLEN but was hardcoded as 4 bytes. You can see that e.g. in connectivity/source/drivers/odbcbase/OPreparedStatement.cxx, OPreparedStatement::setNull: sal_Int8* lenBuf = getLengthBuf (parameterIndex); *(SQLLEN*)lenBuf = SQL_NULL_DATA; getLengthBuf just returns the paramLength member of the corresponding OBoundParam. On my machine in my (debug) build, that (or maybe some other piece of code, such as
would overwrite malloc's metadata, and thus in the OBoundParameter destructor: delete [] paramLength; would call abort() because "bad pointer".
ouch.
Please apply to libreoffice-3-4 and libreoffice-3-5.
pushed to both: http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-3-5&id=f3f925c8a4784cf578d2ab2d1b3f593f582bcdbc http://cgit.freedesktop.org/libreoffice/libs-core/commit/?h=libreoffice-3-4&id=adb1ed5f13b4638690ca2966138eb2c61bdb1b53