Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server crashes while converting an overscaled numeric to a string [CORE4093] #4421

Closed
firebird-issue-importer opened this issue Apr 27, 2013 · 13 comments

Comments

@firebird-issue-importer

Submitted by: Petr Gurin (gurin)

Is related to QA513

select cast(round(123.45, -40) as varchar (41)) from rdb$database
works fine,

select cast(round(123.45, -40) as varchar (40)) from rdb$database
does: conversion error from string "00000000000000000000000000000000000000000", but

select cast(round(123.45, -41) as varchar (41)) from rdb$database
crushes the sever.
This select is really stupid and the problem was found occasionally while I was testing the boundary behaviour of converting stored procedure; but the similar request gives the possibility for the user to crash server practicaly without any permissions.

Commits: 8ea5479 bdbc5ea d276486 FirebirdSQL/fbt-repository@7d3f215 FirebirdSQL/fbt-repository@c06de4e FirebirdSQL/fbt-repository@8dbdec4 FirebirdSQL/fbt-repository@94d5e36

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 27, 2013

Modified by: Petr Gurin (gurin)

description: {{{
select cast(round(123.45, -40) as varchar (41)) from rdb$database
}}}
works fine
{{{
select cast(round(123.45, -40) as varchar (40)) from rdb$database
}}}
does conversion error from string "00000000000000000000000000000000000000000", but
{{{
select cast(round(123.45, -41) as varchar (41)) from rdb$database
}}}
crushes the sever.
This select is really stupid and the problem was found occasionally while I was testing the boundary behaviour of converting stored procedure; but the similar request gives the possibility for the user to crash server practicaly without any permissions.

=>

select cast(round(123.45, -40) as varchar (41)) from rdb$database
works fine,

select cast(round(123.45, -40) as varchar (40)) from rdb$database
does: conversion error from string "00000000000000000000000000000000000000000", but

select cast(round(123.45, -41) as varchar (41)) from rdb$database
crushes the sever.
This select is really stupid and the problem was found occasionally while I was testing the boundary behaviour of converting stored procedure; but the similar request gives the possibility for the user to crash server practicaly without any permissions.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 27, 2013

Modified by: Petr Gurin (gurin)

Version: 2.5.2 Update 1 [ 10521 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 27, 2013

Modified by: @dyemanov

priority: Minor [ 4 ] => Major [ 3 ]

Component: Engine [ 10000 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 27, 2013

Modified by: @dyemanov

assignee: Dmitry Yemanov [ dimitr ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 27, 2013

Modified by: @dyemanov

status: Open [ 1 ] => In Progress [ 3 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 28, 2013

Commented by: @dyemanov

Another test case for a crash:

select cast(cast(0 as numeric(18, 15)) * cast(0 as numeric(18, 15)) * cast(0 as numeric(18, 15)) as varchar (41)) from rdb$database

It demonstrates two different (although related) buffer overrruns (32 bytes in cvt.cpp::integer_to_text() and 41 bytes in cvt.cpp::CVT_conversion_error()). In both cases, our code assumes that any numeric is limited. However, there's no scale validation in the engine so NUMERIC(18, 45) is internally accepted and this leads to crashes in numeric->string conversion routines.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 28, 2013

Modified by: @dyemanov

summary: Simple select with casting rounded numeric as varchar crushes the server => Server crashes while converting an overscaled numeric to a string

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 28, 2013

Modified by: @dyemanov

status: In Progress [ 3 ] => Open [ 1 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 28, 2013

Modified by: @dyemanov

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 3.0 Alpha 1 [ 10331 ]

Fix Version: 2.5.3 [ 10461 ]

Fix Version: 2.1.6 [ 10460 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 28, 2013

Modified by: @dyemanov

Version: 2.1.5 Update 1 [ 10522 ]

Version: 2.5.2 [ 10450 ]

Version: 2.1.5 [ 10420 ]

Version: 2.0.7 [ 10390 ]

Version: 2.5.1 [ 10333 ]

Version: 2.1.4 [ 10361 ]

Version: 2.5.0 [ 10221 ]

Version: 2.0.6 [ 10303 ]

Version: 3.0 Initial [ 10301 ]

Version: 2.1.3 [ 10302 ]

Version: 2.1.2 [ 10270 ]

Version: 2.0.5 [ 10222 ]

Version: 2.1.1 [ 10223 ]

Version: 2.1.0 [ 10041 ]

Version: 2.5.3 [ 10461 ] =>

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Mar 29, 2014

Modified by: @pcisar

Link: This issue is related to QA513 [ QA513 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jul 12, 2015

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: Done successfully

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jul 12, 2015

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment