Uploaded image for project: 'MariaDB Connector/ODBC'
  1. MariaDB Connector/ODBC
  2. ODBC-359

Segmentation fault in SQLFetch

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 3.1.15
    • 3.1.16
    • General
    • None
    • Debian 11 amd64 and arm64

    Description

      SQLFetch crashes when target buffer was set to a null buffer to get column data length as SQL_C_WCHAR

      Crash occurres in ma_statement.c on line 1914 when 

      *(char*)Stmt->result[i].buffer != '\0'

      gets dereferenced and buffer is a null pointer.

      Attached are a test that currently crashes and a patch file that adds a NULL check

      Attachments

        1. ODBC_TEST_t_info.c
          1 kB
          Patrick Braun
        2. segv-fix.patch
          0.9 kB
          Patrick Braun

        Activity

          Ascending order - Click to sort in descending order
          pbraun Patrick Braun created issue -
          pbraun Patrick Braun made changes -
          Field Original Value New Value
          Summary Segemtation fault in SQLBindCol Segmentation fault in SQLBindCol
          Lawrin Lawrin Novitsky added a comment -

          Thank you for your report. Everything looks to make sense.
          Since your provide both the testcase and the fix, maybe it's a good idea for you to make a pull request here so it will be in the history under your name? But please note in the PR that you are contributing the whole thing under the BSD-new license.

          Lawrin Lawrin Novitsky added a comment - Thank you for your report. Everything looks to make sense. Since your provide both the testcase and the fix, maybe it's a good idea for you to make a pull request here so it will be in the history under your name? But please note in the PR that you are contributing the whole thing under the BSD-new license.
          pbraun Patrick Braun added a comment -

          I have opened a PR on Github https://github.com/mariadb-corporation/mariadb-connector-odbc/pull/56

          pbraun Patrick Braun added a comment - I have opened a PR on Github https://github.com/mariadb-corporation/mariadb-connector-odbc/pull/56
          Lawrin Lawrin Novitsky added a comment -

          The PR with the fix and the testcase has been merged. Thanks to Patrick Braun who did all the job

          Lawrin Lawrin Novitsky added a comment - The PR with the fix and the testcase has been merged. Thanks to Patrick Braun who did all the job
          Lawrin Lawrin Novitsky made changes -
          Fix Version/s 3.1.16 [ 27100 ]
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Closed [ 6 ]
          Lawrin Lawrin Novitsky made changes -
          Description SQLFetch crashes when target buffer was set to a null buffer (to get column data length) on mediumtext column.

          Crash occurres in [ma_statement.c on line 1914|https://github.com/mariadb-corporation/mariadb-connector-odbc/blob/d2a96c4a2b506cc0309ea2bda29fda19ca3fc4b8/ma_statement.c#L1914] when
          {code:c}
          *(char*)Stmt->result[i].buffer != '\0'
          {code}
          gets dereferenced and buffer is a null pointer.

          Attached are a test that currently crashes and a patch file that adds a NULL check           		SQLFetch crashes when target buffer was set to a null buffer to get column data length as SQL_C_WCHAR

          Crash occurres in [ma_statement.c on line 1914|https://github.com/mariadb-corporation/mariadb-connector-odbc/blob/d2a96c4a2b506cc0309ea2bda29fda19ca3fc4b8/ma_statement.c#L1914] when
          {code:c}
          *(char*)Stmt->result[i].buffer != '\0'
          {code}
          gets dereferenced and buffer is a null pointer.

          Attached are a test that currently crashes and a patch file that adds a NULL check
          Lawrin Lawrin Novitsky added a comment -

          Updated description as column type was not important here, while SQL_C_WCHAR C type is

          Lawrin Lawrin Novitsky added a comment - Updated description as column type was not important here, while SQL_C_WCHAR C type is
          Lawrin Lawrin Novitsky made changes -
          Summary Segmentation fault in SQLBindCol Segmentation fault in SQLFetch

          People

            Lawrin Lawrin Novitsky
            pbraun Patrick Braun
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.