Fix crash when SetValue_char is called with a negative length value.

This can happen in odbconn.cpp when SQLFetch returns SQL_NO_TOTAL (-4) as length. modified: storage/connect/odbconn.cpp modified: storage/connect/value.cpp
MariaDB · Aug 14, 2015 · 6d46c97 · 6d46c97
1 parent 335ec7a
commit 6d46c97
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 11 deletions.
diff --git a/storage/connect/odbconn.cpp b/storage/connect/odbconn.cpp
@@ -2360,9 +2360,11 @@ int ODBConn::GetCatInfo(CATPARM *cap)
         } // endif rc
 
       for (n = 0, crp = qrp->Colresp; crp; n++, crp = crp->Next) {
-        if (vlen[n] == SQL_NULL_DATA)
+				if (vlen[n] == SQL_NO_TOTAL)
+					ThrowDBX("Unexpected SQL_NO_TOTAL returned from SQLFetch");
+				else if (vlen[n] == SQL_NULL_DATA)
           pval[n]->SetNull(true);
-        else if (crp->Type == TYPE_STRING && vlen[n] != SQL_NULL_DATA)
+        else if (crp->Type == TYPE_STRING/* && vlen[n] != SQL_NULL_DATA*/)
           pval[n]->SetValue_char(pbuf[n], vlen[n]);
         else
           pval[n]->SetNull(false);

diff --git a/storage/connect/value.cpp b/storage/connect/value.cpp
@@ -103,6 +103,7 @@ ulonglong CharToNumber(char *p, int n, ulonglong maxval,
 
   if (minus) *minus = false;
   if (rc) *rc = false;
+	if (n <= 0) return 0LL;
 
   // Eliminate leading blanks or 0
   for (p2 = p + n; p < p2 && (*p == ' ' || *p == '0'); p++) ;
@@ -705,7 +706,7 @@ bool TYPVAL<TYPE>::SetValue_char(char *p, int n)
 template <>
 bool TYPVAL<double>::SetValue_char(char *p, int n)
   {
-  if (p) {
+  if (p && n > 0) {
     char buf[64];
 
     for (; n > 0 && *p == ' '; p++)
@@ -1345,7 +1346,7 @@ bool TYPVAL<PSZ>::SetValue_char(char *p, int n)
   {
   bool rc;
 
-  if (p) {
+  if (p && n > 0) {
     rc = n > Len;
 
     if ((n = MY_MIN(n, Len))) {
@@ -1804,7 +1805,7 @@ bool DECVAL::SetValue_char(char *p, int n)
   {
   bool rc;
 
-  if (p) {
+  if (p && n > 0) {
     rc = n > Len;
 
     if ((n = MY_MIN(n, Len))) {
@@ -2095,7 +2096,7 @@ bool BINVAL::SetValue_char(char *p, int n)
   {
   bool rc;
 
-  if (p) {
+  if (p && n > 0) {
     rc = n > Clen;
     Len = MY_MIN(n, Clen);
     memcpy(Binp, p, Len);
@@ -2672,13 +2673,16 @@ bool DTVAL::SetValue_char(char *p, int n)
     int   ndv;
     int  dval[6];
 
-    // Trim trailing blanks
-    for (p2 = p + n -1; p < p2 && *p2 == ' '; p2--) ;
+		if (n > 0) {
+			// Trim trailing blanks
+			for (p2 = p + n -1; p < p2 && *p2 == ' '; p2--);
 
-    if ((rc = (n = p2 - p + 1) > Len))
-      n = Len;
+			if ((rc = (n = p2 - p + 1) > Len))
+				n = Len;
+
+			memcpy(Sdate, p, n);
+			} // endif n
 
-    memcpy(Sdate, p, n);
     Sdate[n] = '\0';
 
     ndv = ExtractDate(Sdate, Pdtp, DefYear, dval);