[#CORE-2222] AV in engine when storing text blob with transliteration blob filter

Firebird Core

AV in engine when storing text blob with transliteration blob filter

Created: 02/Dec/08 11:35 AM Updated: 02/Dec/09 12:40 PM

Component/s:

Engine

Affects Version/s:

2.1.0, 2.5 Alpha 1, 2.1.1

Fix Version/s:

2.1.2, 2.5 Beta 1

Time Tracking:

Not Specified

File Attachments:

core-2222.zip (0.4 kB)

Issue Links:

Relate

This issue is related to:

~~CORE-2785~~ BLOB transliteration problem in a specific case

Planning Status:

Unspecified

All

Comments

Work Log

Change History

Version Control

Subversion Commits

Sort Order:

[ Permalink | « Hide ]

Vlad Khorsun added a comment - 02/Dec/08 11:57 AM

User test case:

Run Firebird and open 2 command prompts.

1. isql <any database> -ch win1251 -user ... -pass ...
input core-2222.sql;

2. isql <same database> -ch win1251 -user ... -pass ...
select char_length(mon$sql_text) from mon$statements;

server crashed here

[ Permalink | « Hide ]

Vlad Khorsun added a comment - 02/Dec/08 12:05 PM

The problem is in filter_transliterate_text() doing isc_blob_filter_put_segment action.

/* How much space do we need to convert? */
result_length = aux->ctlaux_obj1.convertLength(len);

result_length is USHORT, while CsConvert::convertLength() returns ULONG value since v2.0 (if i not mistaken). It may return 4 times more bytes than was passed in "len" and easy overflow USHORT value. Therefore small buffer allocated in aux->ctlaux_buffer1 and CsConvert::convert() overflow it corrupting memory.