Bug 974794

Summary: Out-of-bounds read in sqlchar_as_sqlwchar
Product: [Fedora] Fedora Reporter: Björn Persson <bjorn>
Component: mysql-connector-odbcAssignee: Honza Horak <hhorak>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: hhorak
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mysql-connector-odbc-5.2.5-2.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-29 18:48:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
reverses the order of the two tests none

Description Björn Persson 2013-06-15 21:40:45 UTC 
Created attachment 761707 [details]
reverses the order of the two tests

In debugging a crashing program I spent many hours investigating this error report from Valgrind:

==20611== Conditional jump or move depends on uninitialised value(s)
==20611==    at 0x7DEEF11: sqlchar_as_sqlwchar (stringutil.c:97)
==20611==    by 0x7DCE77E: SQLConnect (ansi.c:268)
==20611==    by 0x6: ???
==20611==  Uninitialised value was created by a heap allocation
==20611==    at 0x4028308: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==20611==    by 0x88C493C: my_malloc (in /usr/lib/i386-linux-gnu/libmysqlclient.so.18.0.0)
==20611==    by 0x7DEEFCA: sqlchar_as_sqlwchar (stringutil.c:71)
==20611==    by 0x7DCE77E: SQLConnect (ansi.c:268)
==20611==    by 0x6: ???

I found that the code on line 97 reads past the end of the string, looking for a terminating null character that isn't there and apparently isn't supposed to be there as the length of the string is kept in a separate variable. The code then tries to avoid a disaster by doing the right test after it has done the wrong test, but with a bit of bad luck the out-of-bounds read could cause a segmentation fault. Even if the error wouldn't affect the operation of the code, fixing it will save programmers from wasting their time chasing false alarms.

This patch reverses the order of the two tests. I suppose checking for null characters is OK as an additional safety measure, but it needs to be done conditionally after the length test to avoid an out-of-bounds read.

Upstream bug report: http://bugs.mysql.com/bug.php?id=64105

(The Valgrind report above is from a Debian system but the bug is present in Fedora too.)
Comment 1 Honza Horak 2013-06-17 08:33:45 UTC 
Thank you for reporting this. The patch is applied in Rawhide and build for F19 will be available right away.
Comment 2 Fedora Update System 2013-06-17 08:35:08 UTC 
mysql-connector-odbc-5.2.5-2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/mysql-connector-odbc-5.2.5-2.fc19
Comment 3 Fedora Update System 2013-06-17 17:02:02 UTC 
Package mysql-connector-odbc-5.2.5-2.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mysql-connector-odbc-5.2.5-2.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11050/mysql-connector-odbc-5.2.5-2.fc19
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2013-06-29 18:48:17 UTC 
mysql-connector-odbc-5.2.5-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.