Server crashes while converting an overscaled numeric to a string [CORE4093]

[firebird-automations]

Submitted by: Petr Gurin (gurin)

Is related to QA513

select cast(round(123.45, -40) as varchar (41)) from rdb$database
works fine,

select cast(round(123.45, -40) as varchar (40)) from rdb$database
does: conversion error from string "00000000000000000000000000000000000000000", but

select cast(round(123.45, -41) as varchar (41)) from rdb$database
crushes the sever.
This select is really stupid and the problem was found occasionally while I was testing the boundary behaviour of converting stored procedure; but the similar request gives the possibility for the user to crash server practicaly without any permissions.

Commits: 8ea5479 bdbc5ea d276486 FirebirdSQL/fbt-repository@7d3f215 FirebirdSQL/fbt-repository@c06de4e FirebirdSQL/fbt-repository@8dbdec4 FirebirdSQL/fbt-repository@94d5e36

[firebird-automations]

Modified by: Petr Gurin (gurin)

description: {{{
select cast(round(123.45, -40) as varchar (41)) from rdb$database
}}}
works fine
{{{
select cast(round(123.45, -40) as varchar (40)) from rdb$database
}}}
does conversion error from string "00000000000000000000000000000000000000000", but
{{{
select cast(round(123.45, -41) as varchar (41)) from rdb$database
}}}
crushes the sever.
This select is really stupid and the problem was found occasionally while I was testing the boundary behaviour of converting stored procedure; but the similar request gives the possibility for the user to crash server practicaly without any permissions.

=>

select cast(round(123.45, -40) as varchar (41)) from rdb$database
works fine,

select cast(round(123.45, -40) as varchar (40)) from rdb$database
does: conversion error from string "00000000000000000000000000000000000000000", but

select cast(round(123.45, -41) as varchar (41)) from rdb$database
crushes the sever.
This select is really stupid and the problem was found occasionally while I was testing the boundary behaviour of converting stored procedure; but the similar request gives the possibility for the user to crash server practicaly without any permissions.

[firebird-automations]

Modified by: Petr Gurin (gurin)

Version: 2.5.2 Update 1 [ 10521 ]

[firebird-automations]

Modified by: @dyemanov

priority: Minor [ 4 ] => Major [ 3 ]

Component: Engine [ 10000 ]

[firebird-automations]

Modified by: @dyemanov

assignee: Dmitry Yemanov [ dimitr ]

[firebird-automations]

Modified by: @dyemanov

status: Open [ 1 ] => In Progress [ 3 ]

[firebird-automations]

Commented by: @dyemanov

Another test case for a crash:

select cast(cast(0 as numeric(18, 15)) * cast(0 as numeric(18, 15)) * cast(0 as numeric(18, 15)) as varchar (41)) from rdb$database

It demonstrates two different (although related) buffer overrruns (32 bytes in cvt.cpp::integer_to_text() and 41 bytes in cvt.cpp::CVT_conversion_error()). In both cases, our code assumes that any numeric is limited. However, there's no scale validation in the engine so NUMERIC(18, 45) is internally accepted and this leads to crashes in numeric->string conversion routines.

[firebird-automations]

Modified by: @dyemanov

summary: Simple select with casting rounded numeric as varchar crushes the server => Server crashes while converting an overscaled numeric to a string

[firebird-automations]

Modified by: @dyemanov

status: In Progress [ 3 ] => Open [ 1 ]

[firebird-automations]

Modified by: @dyemanov

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 3.0 Alpha 1 [ 10331 ]

Fix Version: 2.5.3 [ 10461 ]

Fix Version: 2.1.6 [ 10460 ]

[firebird-automations]

Modified by: @dyemanov

Version: 2.1.5 Update 1 [ 10522 ]

Version: 2.5.2 [ 10450 ]

Version: 2.1.5 [ 10420 ]

Version: 2.0.7 [ 10390 ]

Version: 2.5.1 [ 10333 ]

Version: 2.1.4 [ 10361 ]

Version: 2.5.0 [ 10221 ]

Version: 2.0.6 [ 10303 ]

Version: 3.0 Initial [ 10301 ]

Version: 2.1.3 [ 10302 ]

Version: 2.1.2 [ 10270 ]

Version: 2.0.5 [ 10222 ]

Version: 2.1.1 [ 10223 ]

Version: 2.1.0 [ 10041 ]

Version: 2.5.3 [ 10461 ] =>

[firebird-automations]

Modified by: @pcisar

Link: This issue is related to QA513 [ QA513 ]

[firebird-automations]

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: Done successfully

[firebird-automations]

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]