Skip to content

[UDF, AV] Server incorrectly calculates a memory size for scalar_array_desc #7892

New issue
New issue
Open
Open
[UDF, AV] Server incorrectly calculates a memory size for scalar_array_desc#7892
@dmitry-lipetsk

Description

@dmitry-lipetsk
dmitry-lipetsk
opened on Nov 29, 2023

Hello,

sizeof(scalar_array_desc) == 32

Note - it is a size of an array descriptor with one dimension.

When I call the UDF

DECLARE EXTERNAL FUNCTION IBP_UDF__ADIM__I4
 INTEGER BY SCALAR_ARRAY
RETURNS INTEGER BY VALUE
ENTRY_POINT 'fn_get_arr_dim__i4__sa'
MODULE_NAME 'lcpi.ibp.test.udf.01.dll'

I see the following situation in this code:

firebird/src/jrd/fun.epp

Lines 377 to 380 in 6340df1

// Start by constructing argument list
UCHAR* temp_ptr = temp.getBuffer(function->fun_temp_length + FB_DOUBLE_ALIGN);
MOVE_CLEAR(temp_ptr, temp.getCount());
temp_ptr = FB_ALIGN(temp_ptr, FB_DOUBLE_ALIGN);

image

Server allocates 16+8 bytes here.

And it uses this memory below:

firebird/src/jrd/fun.epp

Lines 479 to 483 in 6340df1

else if (parameter->prm_fun_mechanism == FUN_scalar_array)
{
length = get_scalar_array(tdbb, parameter, input, (scalar_array_desc*) temp_ptr,
array_stack);
}

There are two mistakes

  1. function->fun_temp_length is calculated incorrectly
  2. It won't work with multidimensional arrays - get_scalar_array must allocate scalar_array_desc.

Server crashes in MemPool::releaseMemory

image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions