Bug 974794 - Out-of-bounds read in sqlchar_as_sqlwchar
Out-of-bounds read in sqlchar_as_sqlwchar
Product: Fedora
Classification: Fedora
Component: mysql-connector-odbc (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Honza Horak
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-06-15 17:40 EDT by Björn Persson
Modified: 2013-06-29 14:48 EDT (History)
1 user (show)

See Also:
Fixed In Version: mysql-connector-odbc-5.2.5-2.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-06-29 14:48:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
reverses the order of the two tests (370 bytes, patch)
2013-06-15 17:40 EDT, Björn Persson
no flags Details | Diff

  None (edit)
Description Björn Persson 2013-06-15 17:40:45 EDT
Created attachment 761707 [details]
reverses the order of the two tests

In debugging a crashing program I spent many hours investigating this error report from Valgrind:

==20611== Conditional jump or move depends on uninitialised value(s)
==20611==    at 0x7DEEF11: sqlchar_as_sqlwchar (stringutil.c:97)
==20611==    by 0x7DCE77E: SQLConnect (ansi.c:268)
==20611==    by 0x6: ???
==20611==  Uninitialised value was created by a heap allocation
==20611==    at 0x4028308: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==20611==    by 0x88C493C: my_malloc (in /usr/lib/i386-linux-gnu/libmysqlclient.so.18.0.0)
==20611==    by 0x7DEEFCA: sqlchar_as_sqlwchar (stringutil.c:71)
==20611==    by 0x7DCE77E: SQLConnect (ansi.c:268)
==20611==    by 0x6: ???

I found that the code on line 97 reads past the end of the string, looking for a terminating null character that isn't there and apparently isn't supposed to be there as the length of the string is kept in a separate variable. The code then tries to avoid a disaster by doing the right test after it has done the wrong test, but with a bit of bad luck the out-of-bounds read could cause a segmentation fault. Even if the error wouldn't affect the operation of the code, fixing it will save programmers from wasting their time chasing false alarms.

This patch reverses the order of the two tests. I suppose checking for null characters is OK as an additional safety measure, but it needs to be done conditionally after the length test to avoid an out-of-bounds read.

Upstream bug report: http://bugs.mysql.com/bug.php?id=64105

(The Valgrind report above is from a Debian system but the bug is present in Fedora too.)
Comment 1 Honza Horak 2013-06-17 04:33:45 EDT
Thank you for reporting this. The patch is applied in Rawhide and build for F19 will be available right away.
Comment 2 Fedora Update System 2013-06-17 04:35:08 EDT
mysql-connector-odbc-5.2.5-2.fc19 has been submitted as an update for Fedora 19.
Comment 3 Fedora Update System 2013-06-17 13:02:02 EDT
Package mysql-connector-odbc-5.2.5-2.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mysql-connector-odbc-5.2.5-2.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2013-06-29 14:48:17 EDT
mysql-connector-odbc-5.2.5-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.