Issue Details (XML | Word | Printable)

Key: CORE-2222
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Vlad Khorsun
Reporter: Vlad Khorsun
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Firebird Core

AV in engine when storing text blob with transliteration blob filter

Created: 02/Dec/08 11:35 AM   Updated: 02/Dec/09 12:40 PM
Component/s: Engine
Affects Version/s: 2.1.0, 2.5 Alpha 1, 2.1.1
Fix Version/s: 2.1.2, 2.5 Beta 1

Time Tracking:
Not Specified

File Attachments: 1. Zip Archive core-2222.zip (0.4 kB)

Issue Links:
Relate
 

Planning Status: Unspecified


 All   Comments   Work Log   Change History   Version Control   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Vlad Khorsun added a comment - 02/Dec/08 11:57 AM
User test case:

Run Firebird and open 2 command prompts.

1. isql <any database> -ch win1251 -user ... -pass ...
input core-2222.sql;

2. isql <same database> -ch win1251 -user ... -pass ...
select char_length(mon$sql_text) from mon$statements;

server crashed here

Vlad Khorsun added a comment - 02/Dec/08 12:05 PM
The problem is in filter_transliterate_text() doing isc_blob_filter_put_segment action.

/* How much space do we need to convert? */
result_length = aux->ctlaux_obj1.convertLength(len);

result_length is USHORT, while CsConvert::convertLength() returns ULONG value since v2.0 (if i not mistaken). It may return 4 times more bytes than was passed in "len" and easy overflow USHORT value. Therefore small buffer allocated in aux->ctlaux_buffer1 and CsConvert::convert() overflow it corrupting memory.