[PATCH] [REVIEW:3-5,3-4] odbc 64 bits crash
Lionel Elie Mamane
lionel at mamane.lu
Tue Feb 14 06:37:21 PST 2012
Yet another odbc on 64 bit crash because of wrong buffer size. This is
supposed to be a SQLLEN but was hardcoded as 4 bytes.
You can see that e.g. in
connectivity/source/drivers/odbcbase/OPreparedStatement.cxx,
OPreparedStatement::setNull:
sal_Int8* lenBuf = getLengthBuf (parameterIndex);
*(SQLLEN*)lenBuf = SQL_NULL_DATA;
getLengthBuf just returns the paramLength member of the corresponding
OBoundParam.
On my machine in my (debug) build, that (or maybe some other piece of
code, such as
line 875: memcpy (lenBuf, &atExec, sizeof (atExec));
line 882: N3SQLBindParameter(m_aStatementHandle,
(SQLUSMALLINT)ParameterIndex,
(SQLUSMALLINT)SQL_PARAM_INPUT,
Ctype,
(SQLSMALLINT)SQLtype,
(SQLULEN)length,
0,
dataBuf,
sizeof(ParameterIndex),
(SQLLEN*)lenBuf);
)
would overwrite malloc's metadata, and thus in the OBoundParameter destructor:
delete [] paramLength;
would call abort() because "bad pointer".
Please apply to libreoffice-3-4 and libreoffice-3-5.
Thanks,
BTW, even after "export MALLOC_CHECK_=3", I wouldn't get free() to
properly complain on stderr, gdb showed malloc_printerr called with
action=2 instead of action=3. Quid?
--
Lionel
More information about the LibreOffice
mailing list