Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server crashes while converting an overscaled numeric to a string [CORE4093] #4421

Closed
firebird-automations opened this issue Apr 27, 2013 · 13 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: Petr Gurin (gurin)

Is related to QA513

select cast(round(123.45, -40) as varchar (41)) from rdb$database
works fine,

select cast(round(123.45, -40) as varchar (40)) from rdb$database
does: conversion error from string "00000000000000000000000000000000000000000", but

select cast(round(123.45, -41) as varchar (41)) from rdb$database
crushes the sever.
This select is really stupid and the problem was found occasionally while I was testing the boundary behaviour of converting stored procedure; but the similar request gives the possibility for the user to crash server practicaly without any permissions.

Commits: 8ea5479 bdbc5ea d276486 FirebirdSQL/fbt-repository@7d3f215 FirebirdSQL/fbt-repository@c06de4e FirebirdSQL/fbt-repository@8dbdec4 FirebirdSQL/fbt-repository@94d5e36

@firebird-automations
Copy link
Collaborator Author

Modified by: Petr Gurin (gurin)

description: {{{
select cast(round(123.45, -40) as varchar (41)) from rdb$database
}}}
works fine
{{{
select cast(round(123.45, -40) as varchar (40)) from rdb$database
}}}
does conversion error from string "00000000000000000000000000000000000000000", but
{{{
select cast(round(123.45, -41) as varchar (41)) from rdb$database
}}}
crushes the sever.
This select is really stupid and the problem was found occasionally while I was testing the boundary behaviour of converting stored procedure; but the similar request gives the possibility for the user to crash server practicaly without any permissions.

=>

select cast(round(123.45, -40) as varchar (41)) from rdb$database
works fine,

select cast(round(123.45, -40) as varchar (40)) from rdb$database
does: conversion error from string "00000000000000000000000000000000000000000", but

select cast(round(123.45, -41) as varchar (41)) from rdb$database
crushes the sever.
This select is really stupid and the problem was found occasionally while I was testing the boundary behaviour of converting stored procedure; but the similar request gives the possibility for the user to crash server practicaly without any permissions.

@firebird-automations
Copy link
Collaborator Author

Modified by: Petr Gurin (gurin)

Version: 2.5.2 Update 1 [ 10521 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

priority: Minor [ 4 ] => Major [ 3 ]

Component: Engine [ 10000 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

assignee: Dmitry Yemanov [ dimitr ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

status: Open [ 1 ] => In Progress [ 3 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @dyemanov

Another test case for a crash:

select cast(cast(0 as numeric(18, 15)) * cast(0 as numeric(18, 15)) * cast(0 as numeric(18, 15)) as varchar (41)) from rdb$database

It demonstrates two different (although related) buffer overrruns (32 bytes in cvt.cpp::integer_to_text() and 41 bytes in cvt.cpp::CVT_conversion_error()). In both cases, our code assumes that any numeric is limited. However, there's no scale validation in the engine so NUMERIC(18, 45) is internally accepted and this leads to crashes in numeric->string conversion routines.

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

summary: Simple select with casting rounded numeric as varchar crushes the server => Server crashes while converting an overscaled numeric to a string

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

status: In Progress [ 3 ] => Open [ 1 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 3.0 Alpha 1 [ 10331 ]

Fix Version: 2.5.3 [ 10461 ]

Fix Version: 2.1.6 [ 10460 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

Version: 2.1.5 Update 1 [ 10522 ]

Version: 2.5.2 [ 10450 ]

Version: 2.1.5 [ 10420 ]

Version: 2.0.7 [ 10390 ]

Version: 2.5.1 [ 10333 ]

Version: 2.1.4 [ 10361 ]

Version: 2.5.0 [ 10221 ]

Version: 2.0.6 [ 10303 ]

Version: 3.0 Initial [ 10301 ]

Version: 2.1.3 [ 10302 ]

Version: 2.1.2 [ 10270 ]

Version: 2.0.5 [ 10222 ]

Version: 2.1.1 [ 10223 ]

Version: 2.1.0 [ 10041 ]

Version: 2.5.3 [ 10461 ] =>

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

Link: This issue is related to QA513 [ QA513 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: Done successfully

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment