Issue Details (XML | Word | Printable)

Key: CORE-4093
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Dmitry Yemanov
Reporter: Petr Gurin
Votes: 0
Watchers: 2
Operations

If you were logged in you would be able to see more operations.
Firebird Core

Server crashes while converting an overscaled numeric to a string

Created: 27/Apr/13 07:01 AM   Updated: 12/Jul/15 06:05 AM
Component/s: Engine
Affects Version/s: 2.1.0, 2.1.1, 2.0.5, 2.1.2, 2.1.3, 3.0 Initial, 2.0.6, 2.5.0, 2.1.4, 2.5.1, 2.0.7, 2.1.5, 2.5.2, 2.1.5 Update 1, 2.5.2 Update 1
Fix Version/s: 3.0 Alpha 1, 2.1.6, 2.5.3

Environment: Windows 7, I suppose any other also
Issue Links:
Relate
 

QA Status: Done successfully


 Description  « Hide
select cast(round(123.45, -40) as varchar (41)) from rdb$database
works fine,

select cast(round(123.45, -40) as varchar (40)) from rdb$database
does: conversion error from string "00000000000000000000000000000000000000000", but

select cast(round(123.45, -41) as varchar (41)) from rdb$database
crushes the sever.
This select is really stupid and the problem was found occasionally while I was testing the boundary behaviour of converting stored procedure; but the similar request gives the possibility for the user to crash server practicaly without any permissions.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Dmitry Yemanov added a comment - 28/Apr/13 08:14 AM
Another test case for a crash:

select cast(cast(0 as numeric(18, 15)) * cast(0 as numeric(18, 15)) * cast(0 as numeric(18, 15)) as varchar (41)) from rdb$database

It demonstrates two different (although related) buffer overrruns (32 bytes in cvt.cpp::integer_to_text() and 41 bytes in cvt.cpp::CVT_conversion_error()). In both cases, our code assumes that any numeric is limited. However, there's no scale validation in the engine so NUMERIC(18, 45) is internally accepted and this leads to crashes in numeric->string conversion routines.