Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AV in engine when storing text blob with transliteration blob filter [CORE2222] #2650

Closed
firebird-issue-importer opened this issue Dec 2, 2008 · 9 comments

Comments

@firebird-issue-importer
Copy link

@firebird-issue-importer firebird-issue-importer commented Dec 2, 2008

Submitted by: @hvlad

Is related to CORE2785

Attachments:
core-2222.zip

Commits: 8bb2d57 f839b23

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Dec 2, 2008

Commented by: @hvlad

User test case:

Run Firebird and open 2 command prompts.

1. isql <any database> -ch win1251 -user ... -pass ...
input core-2222.sql;

2. isql <same database> -ch win1251 -user ... -pass ...
select char_length(mon$sql_text) from mon$statements;

server crashed here

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Dec 2, 2008

Modified by: @hvlad

Attachment: core-2222.zip [ 11220 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Dec 2, 2008

Commented by: @hvlad

The problem is in filter_transliterate_text() doing isc_blob_filter_put_segment action.

/\* How much space do we need to convert? \*/
result\_length = aux\-\>ctlaux\_obj1\.convertLength\(len\);

result_length is USHORT, while CsConvert::convertLength() returns ULONG value since v2.0 (if i not mistaken). It may return 4 times more bytes than was passed in "len" and easy overflow USHORT value. Therefore small buffer allocated in aux->ctlaux_buffer1 and CsConvert::convert() overflow it corrupting memory.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Dec 2, 2008

Modified by: @hvlad

assignee: Vlad Khorsun [ hvlad ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Dec 2, 2008

Modified by: @hvlad

status: Open [ 1 ] => Open [ 1 ]

Fix Version: 2.1.2 [ 10270 ]

Fix Version: 2.5 Beta 1 [ 10251 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Dec 4, 2008

Modified by: @hvlad

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jan 26, 2009

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Dec 2, 2009

Modified by: @asfernandes

Link: This issue is related to CORE2785 [ CORE2785 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jan 19, 2016

Modified by: @pavel-zotov

QA Status: No test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants