Commit 0f8f90f
committed
Fix ConvertingString heap overflow without causing stack smash
Commit 832d8e7 changed lengthString = length/sizeof(wchar_t) to
length/sizeof(SQLWCHAR) to stop a 1-byte heap overflow in the internal
byteString when OdbcError::sqlGetDiagRec strcpy's a 6-byte SQL state
into the 5-byte buffer allocated on Linux (wchar_t=4).
That fix is wrong in the opposite direction: lengthString is also the
count passed to mbstowcs((wchar_t*)unicodeString, byteString,
lengthString) in the destructor, which writes lengthString *
sizeof(wchar_t) bytes into the caller's SQLWCHAR buffer. With
lengthString=6 and a 12-byte caller buffer, mbstowcs overruns by
12 bytes and smashes the caller's stack (reproducible without ASAN).
Revert line 88 to sizeof(wchar_t) to restore the safe mbstowcs bound,
and instead floor the internal byteString allocation at 8 bytes so the
strcpy no longer overflows. This is a targeted fix that keeps both the
ASAN job and normal runs green until the ConvertingString / mbstowcs
rewrite lands (issue #287 Tier 9.1).1 parent 8258a27 commit 0f8f90f
1 file changed
Lines changed: 11 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
85 | 85 | | |
86 | 86 | | |
87 | 87 | | |
88 | | - | |
| 88 | + | |
89 | 89 | | |
90 | 90 | | |
91 | 91 | | |
| |||
219 | 219 | | |
220 | 220 | | |
221 | 221 | | |
222 | | - | |
223 | | - | |
| 222 | + | |
| 223 | + | |
| 224 | + | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
| 228 | + | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
224 | 232 | | |
225 | 233 | | |
226 | 234 | | |
| |||
0 commit comments