Re: buffer overwrite in function BuildBindRequest (file convert.c line 3749)

On 01/09/2014 04:04 PM, Patrice Dardoize wrote:
> Hello,
>
> I'm using odbc driver version 9.3.1.0 for PostgreSQL.
>
> I'm trying to insert a new row in a table containing 3 columns (integer,
> varying character (150) and bytea).
>
> Depending on the data size transfered to the bytea column, I experience a
> buffer overwrite (memory written at the very end of memory allocated for
> variable qb.query_statement).
>
> After having downloaded the latest available source code and compiled the
> odbc driver (under Visual Studio 2010), I found out that a problem may
> occur in function BuildBindRequest (from file convert.c line 3749) when
> appending a terminating 0 (Int2) at the end of qb.query_statement.
>
> The memory actually allocated for this buffered (for which the size is
> stored in qb.str_alsize as I could understand) may be insufficient to
> contain the Int2.

Yep, good catch.

> I've just added a call to ENLARGE_NEWSTATEMENT to fix
> the problem :
>
> leng = qb.npos;
> ENLARGE_NEWSTATEMENT((&qb), leng + sizeof(Int2)); /* this line was
> added to correct the buffer overwrite */
> memset(qb.query_statement + leng, 0, sizeof(Int2)); /* result
> format is text */
> leng += sizeof(Int2);

That's not 100% correct, ENLARGE_NEWSTATEMENT will not do the right
thing in this function if the allocation fails. But I committed a fix
along those lines.

> In order to reproduce the issue, you may simply try to insert a new row
> containing :
> - an arbitrary int value for the first column
> - NULL for the second column
> - any binary content of 8132 bytes length

I also added a test case to the regression test suite that does
something like that.

Thanks for the report!

- Heikki