Permalink
Browse files

Fix crash when a database transaction fails (bug 6531) (#577)

If one of the queries fails in a transaction, the DBI system would only allocate an array of the size of the amount of all the successful queries before the failed one. It writes data for all the queries though effectively writing past the array bounds leading to heap corruption.

Create the right sized array!
  • Loading branch information...
1 parent f9ec148 commit ea8fdd8fbb7d6a6e026cd88b8d0e1a1c7f84cc3b @peace-maker peace-maker committed with KyleSanderson Jan 23, 2017
Showing with 1 addition and 1 deletion.
  1. +1 −1 core/logic/smn_database.cpp
@@ -1726,7 +1726,7 @@ class TTransactOp : public IDBThreadOperation
{
HandleSecurity sec(ident_, g_pCoreIdent);
- ke::AutoPtr<cell_t[]> data = ke::MakeUnique<cell_t[]>(results_.length());
+ ke::AutoPtr<cell_t[]> data = ke::MakeUnique<cell_t[]>(txn_->entries.length());
for (size_t i = 0; i < txn_->entries.length(); i++)
data[i] = txn_->entries[i].data;

0 comments on commit ea8fdd8

Please sign in to comment.