[Libreoffice-bugs] [Bug 112947] New: Possible write to free'd memory in OResultSet.cxx

Fri Oct 6 17:34:50 UTC 2017

https://bugs.documentfoundation.org/show_bug.cgi?id=112947

            Bug ID: 112947
           Summary: Possible write to free'd memory in OResultSet.cxx
           Product: LibreOffice
           Version: 5.4.2.2 release
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: LibreOffice
          Assignee: libreoffice-bugs at lists.freedesktop.org
          Reporter: nick at lurcher.org

I noticed while writing an ODBC driver and running with valgrind I noticed that
creating a DB query could lead to the driver writing to free'd space.

Process is in OResultSet.cxx

Row status array is allocated and set in the driver

m_pRowStatusArray = new SQLUSMALLINT[1]; // the default value
setStmtOption<SQLUSMALLINT*, SQL_IS_POINTER>(SQL_ATTR_ROW_STATUS_PTR,
m_pRowStatusArray);

However in the destructor, when OResultSet is released, m_pRowStatusArray is
released, but the address is not reset in the ODBC driver, so next time that
statement is used, that address is referenced.

A simple (and seems to work) fix is to reset the value when its released.

OResultSet::~OResultSet()
{
    setStmtOption<SQLUSMALLINT*, SQL_IS_POINTER>(SQL_ATTR_ROW_STATUS_PTR,
NULL);
    delete [] m_pRowStatusArray;
    delete m_pSkipDeletedSet;
}

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20171006/0408e01e/attachment.html>