[#CONC-452] OVERRUN error (CWE-119) in file libmariadb/ma_stmt

[CONC-452] OVERRUN error (CWE-119) in file libmariadb/ma_stmt_codec.c Created: 2020-02-05 Updated: 2021-02-03 Resolved: 2020-02-17
Status:	Closed
Project:	MariaDB Connector/C
Component/s:	None
Affects Version/s:	3.1.6
Fix Version/s:	3.1.8

Type:

Bug

Priority:

Blocker

Reporter:

Lukas Javorsky

Assignee:

Georg Richter

Resolution:

Fixed

Votes:

Labels:

Connector, buffer

Environment:

All

Description

Hi,

I'm working on fixing errors provided by covscan on project mariadb-connector-c (3.1.6) and I have problem with solving one of them.

IMHO it's quite an important one, so I want to ask you if you can help me fix it.

This is log from covscan:
Error: OVERRUN (CWE-119):
mariadb-connector-c-3.1.6-src/libmariadb/ma_stmt_codec.c:1171: overrun-buffer-val: Overrunning array "dtbuffer" of 60 bytes by passing it to a function which accesses it at byte offset 253.

1169| break;
1170| }
1171|-> convert_froma_string(r_param, dtbuffer, length);
1172| break;
1173| }

I tried to look at it but unfortunately there is a lot of stuff to process, so I'm kindly asking for your assistance.

Thank you so much
Lukas

Comments

Comment by Georg Richter [ 2020-02-05 ]

Thanks for your bug report.

I classified this CVE 1,5 years ago as false positive - however after rechecking this CVE, I need to check if we can force a buffer overrun via mysql_stmt_fetch_column()

Comment by Lukas Javorsky [ 2020-02-06 ]

Thanks for quick response,

Okay, please let me know if something updated.

Comment by Georg Richter [ 2020-02-17 ]

Fixed. rev. 1218ffac1a9adefd6428e68b6154bc54a04343aa

Generated at Thu Feb 08 03:05:25 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[CONC-452] OVERRUN error (CWE-119) in file libmariadb/ma_stmt_codec.c Created: 2020-02-05 Updated: 2021-02-03 Resolved: 2020-02-17