Bug 974794 - Out-of-bounds read in sqlchar_as_sqlwchar
Summary: Out-of-bounds read in sqlchar_as_sqlwchar
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mysql-connector-odbc
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Honza Horak
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-15 21:40 UTC by Björn Persson
Modified: 2013-06-29 18:48 UTC (History)
1 user (show)

Fixed In Version: mysql-connector-odbc-5.2.5-2.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-06-29 18:48:17 UTC
Type: Bug

Attachments (Terms of Use)
reverses the order of the two tests (370 bytes, patch)
2013-06-15 21:40 UTC, Björn Persson 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description Björn Persson 2013-06-15 21:40:45 UTC 
Created attachment 761707 [details]
reverses the order of the two tests

In debugging a crashing program I spent many hours investigating this error report from Valgrind:

==20611== Conditional jump or move depends on uninitialised value(s)
==20611==    at 0x7DEEF11: sqlchar_as_sqlwchar (stringutil.c:97)
==20611==    by 0x7DCE77E: SQLConnect (ansi.c:268)
==20611==    by 0x6: ???
==20611==  Uninitialised value was created by a heap allocation
==20611==    at 0x4028308: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==20611==    by 0x88C493C: my_malloc (in /usr/lib/i386-linux-gnu/libmysqlclient.so.18.0.0)
==20611==    by 0x7DEEFCA: sqlchar_as_sqlwchar (stringutil.c:71)
==20611==    by 0x7DCE77E: SQLConnect (ansi.c:268)
==20611==    by 0x6: ???

I found that the code on line 97 reads past the end of the string, looking for a terminating null character that isn't there and apparently isn't supposed to be there as the length of the string is kept in a separate variable. The code then tries to avoid a disaster by doing the right test after it has done the wrong test, but with a bit of bad luck the out-of-bounds read could cause a segmentation fault. Even if the error wouldn't affect the operation of the code, fixing it will save programmers from wasting their time chasing false alarms.

This patch reverses the order of the two tests. I suppose checking for null characters is OK as an additional safety measure, but it needs to be done conditionally after the length test to avoid an out-of-bounds read.

Upstream bug report: http://bugs.mysql.com/bug.php?id=64105

(The Valgrind report above is from a Debian system but the bug is present in Fedora too.)
Comment 1 Honza Horak 2013-06-17 08:33:45 UTC 
Thank you for reporting this. The patch is applied in Rawhide and build for F19 will be available right away.
Comment 2 Fedora Update System 2013-06-17 08:35:08 UTC 
mysql-connector-odbc-5.2.5-2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/mysql-connector-odbc-5.2.5-2.fc19
Comment 3 Fedora Update System 2013-06-17 17:02:02 UTC 
Package mysql-connector-odbc-5.2.5-2.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mysql-connector-odbc-5.2.5-2.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11050/mysql-connector-odbc-5.2.5-2.fc19
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2013-06-29 18:48:17 UTC 
mysql-connector-odbc-5.2.5-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.