New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AV in engine when storing text blob with transliteration blob filter [CORE2222] #2650
Comments
Commented by: @hvlad User test case: Run Firebird and open 2 command prompts. 1. isql <any database> -ch win1251 -user ... -pass ... 2. isql <same database> -ch win1251 -user ... -pass ... server crashed here |
Modified by: @hvladAttachment: core-2222.zip [ 11220 ] |
Commented by: @hvlad The problem is in filter_transliterate_text() doing isc_blob_filter_put_segment action.
result_length is USHORT, while CsConvert::convertLength() returns ULONG value since v2.0 (if i not mistaken). It may return 4 times more bytes than was passed in "len" and easy overflow USHORT value. Therefore small buffer allocated in aux->ctlaux_buffer1 and CsConvert::convert() overflow it corrupting memory. |
Modified by: @hvladassignee: Vlad Khorsun [ hvlad ] |
Modified by: @hvladstatus: Open [ 1 ] => Open [ 1 ] Fix Version: 2.1.2 [ 10270 ] Fix Version: 2.5 Beta 1 [ 10251 ] |
Modified by: @pcisarstatus: Resolved [ 5 ] => Closed [ 6 ] |
Modified by: @asfernandes |
Modified by: @pavel-zotovQA Status: No test |
Submitted by: @hvlad
Is related to CORE2785
Attachments:
core-2222.zip
Commits: 8bb2d57 f839b23
The text was updated successfully, but these errors were encountered: