diff options
| author | Mike Kaganski <mike.kaganski@collabora.com> | 2021-09-01 17:41:05 +0200 |
|---|---|---|
| committer | Michael Stahl <michael.stahl@allotropia.de> | 2021-09-02 17:04:55 +0200 |
| commit | 1266d8bea7044b14177feb62241d96508363a2f9 (patch) | |
| tree | 2ce5713f4846639bb46945f019cff7d49c50b111 | |
| parent | de834f98e22e660b186cb4b27b228d189c194ee7 (diff) | |
tdf#144230: sanitize string length embedded in SQL_VARYING data
It is unclear why the length may be wrong; but at least be safe to
avoid buffer overruns.
Wrt the validity of sqllen here: see SQLDAMetadata::scatterData in
firebird's src/yvalve/why.cpp.
Change-Id: Icc24c1cc0db66c20732188ab0621cde53c1ba5c2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/121458
Tested-by: Jenkins
Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>
(cherry picked from commit 2e5dad443a30055d93dbcb3bf9cac906e80b2e25)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/121462
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
| -rw-r--r-- | connectivity/source/drivers/firebird/ResultSet.cxx | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/connectivity/source/drivers/firebird/ResultSet.cxx b/connectivity/source/drivers/firebird/ResultSet.cxx index 0e0361a7bbd8..17e87cf8a55d 100644 --- a/connectivity/source/drivers/firebird/ResultSet.cxx +++ b/connectivity/source/drivers/firebird/ResultSet.cxx @@ -579,10 +579,11 @@ OUString OResultSet::retrieveValue(const sal_Int32 nColumnIndex, const ISC_SHORT else if (aSqlType == SQL_VARYING) { // First 2 bytes are a short containing the length of the string - // No idea if sqllen is still valid here? + // Under unclear conditions, it may be wrong and greater than sqllen. sal_uInt16 aLength = *reinterpret_cast<sal_uInt16*>(m_pSqlda->sqlvar[nColumnIndex-1].sqldata); + // Use greater signed type sal_Int32 to get the minimum of two 16-bit values return OUString(m_pSqlda->sqlvar[nColumnIndex-1].sqldata + 2, - aLength, + std::min<sal_Int32>(aLength, m_pSqlda->sqlvar[nColumnIndex-1].sqllen), RTL_TEXTENCODING_UTF8); } else if ((aSqlType == SQL_SHORT || aSqlType == SQL_LONG || |