New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server crashes while converting an overscaled numeric to a string [CORE4093] #4421
Comments
Modified by: Petr Gurin (gurin)description: {{{ => select cast(round(123.45, -40) as varchar (41)) from rdb$database select cast(round(123.45, -40) as varchar (40)) from rdb$database select cast(round(123.45, -41) as varchar (41)) from rdb$database |
Modified by: Petr Gurin (gurin)Version: 2.5.2 Update 1 [ 10521 ] |
Modified by: @dyemanovassignee: Dmitry Yemanov [ dimitr ] |
Modified by: @dyemanovstatus: Open [ 1 ] => In Progress [ 3 ] |
Commented by: @dyemanov Another test case for a crash: select cast(cast(0 as numeric(18, 15)) * cast(0 as numeric(18, 15)) * cast(0 as numeric(18, 15)) as varchar (41)) from rdb$database It demonstrates two different (although related) buffer overrruns (32 bytes in cvt.cpp::integer_to_text() and 41 bytes in cvt.cpp::CVT_conversion_error()). In both cases, our code assumes that any numeric is limited. However, there's no scale validation in the engine so NUMERIC(18, 45) is internally accepted and this leads to crashes in numeric->string conversion routines. |
Modified by: @dyemanovsummary: Simple select with casting rounded numeric as varchar crushes the server => Server crashes while converting an overscaled numeric to a string |
Modified by: @dyemanovstatus: In Progress [ 3 ] => Open [ 1 ] |
Modified by: @dyemanovstatus: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 3.0 Alpha 1 [ 10331 ] Fix Version: 2.5.3 [ 10461 ] Fix Version: 2.1.6 [ 10460 ] |
Modified by: @dyemanovVersion: 2.1.5 Update 1 [ 10522 ] Version: 2.5.2 [ 10450 ] Version: 2.1.5 [ 10420 ] Version: 2.0.7 [ 10390 ] Version: 2.5.1 [ 10333 ] Version: 2.1.4 [ 10361 ] Version: 2.5.0 [ 10221 ] Version: 2.0.6 [ 10303 ] Version: 3.0 Initial [ 10301 ] Version: 2.1.3 [ 10302 ] Version: 2.1.2 [ 10270 ] Version: 2.0.5 [ 10222 ] Version: 2.1.1 [ 10223 ] Version: 2.1.0 [ 10041 ] Version: 2.5.3 [ 10461 ] => |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Closed [ 6 ] |
Submitted by: Petr Gurin (gurin)
Is related to QA513
select cast(round(123.45, -40) as varchar (41)) from rdb$database
works fine,
select cast(round(123.45, -40) as varchar (40)) from rdb$database
does: conversion error from string "00000000000000000000000000000000000000000", but
select cast(round(123.45, -41) as varchar (41)) from rdb$database
crushes the sever.
This select is really stupid and the problem was found occasionally while I was testing the boundary behaviour of converting stored procedure; but the similar request gives the possibility for the user to crash server practicaly without any permissions.
Commits: 8ea5479 bdbc5ea d276486 FirebirdSQL/fbt-repository@7d3f215 FirebirdSQL/fbt-repository@c06de4e FirebirdSQL/fbt-repository@8dbdec4 FirebirdSQL/fbt-repository@94d5e36
The text was updated successfully, but these errors were encountered: