Issue Details (XML | Word | Printable)

Key: CORE-2313
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Claudio Valderrama C.
Reporter: Claudio Valderrama C.
Votes: 0
Watchers: 0

If you were logged in you would be able to see more operations.
Firebird Core

INF_* functions may invalidate the whole output buffer with isc_info_truncated at the beginning due to boundary condition.

Created: 09/Feb/09 09:10 AM   Updated: 22/Aug/16 06:20 AM
Component/s: Engine
Affects Version/s: 2.1.0, 2.5 Alpha 1, 2.1.1, 2.1.2, 2.5 Beta 1, 2.1.3
Fix Version/s: 2.5 Beta 1, 2.1.3

Environment: Platform independent.

QA Status: Cannot be tested

 Description  « Hide
In FB1, I noticed that INF_put_item may put the requested item but without leaving any space for isc_info_end and thus returning a malformed buffer to the user, that may eventually crash while finding the end of the binary string. Hence, I made INF_put_item check for one byte more of space before writing, otherwise putting isc_info_truncated and nothing more. This change avoided cluttering the code in the INF_* functions with checks and it worked well in FB1.0, FB1.5 and FB2.0.
However, in FB2.1, Vlad added isc_info_length as an initial item to inform the user of the output's total length. For this task, once the buffer is filled, he shifts it to make room for 7 bytes at the beginning and calls INF_put_item. However, this function is unaware that it's inserting (isc_info_end is already stored) and if only 7 bytes are available in the buffer, it will fail, writing isc_info_truncated at the very beginning, effectively invalidating all the information stored in the output buffer. This is a boundary case and didn't find it in practice but by reading the code. The affected functions are those where Vlad made the enhancement: INF_blob_info, INF_request_info and INF_transaction_info. INF_database_info isn't affected because it was left unchanged by Vlad.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Claudio Valderrama C. added a comment - 09/Feb/09 09:12 AM
SVC_query2 is affected as well. This means the call to get information from a service may exhibit the same anomalous behavior.