Fixes: possible buffer overrun on interval conversion. Catalog length handling (#217)

bpintea · bpintea · commit db3cde3024a0 · 2020-03-17T23:35:57.000+01:00
* fix overrun when converting a c-string to interval When converting a C-string to a wide string, the conversion function 0-terminates the output. However, the allocated destination buffer lacked the space for the terminator. This commit fixes that. * fix catalog setting The API function provides the byte count for the wide string name of the catalog, not the character count, as so far implemented. This commit fixes the lenght handling. (cherry picked from commit e390375)
diff --git a/driver/connect.c b/driver/connect.c
@@ -2618,7 +2618,7 @@ static SQLRETURN check_catalog_name(esodbc_dbc_st *dbc, SQLWCHAR *name,
 	if (len < 0) {
 		catalog.cnt = wcslen(name);
 	} else {
-		catalog.cnt = (size_t)len;
+		catalog.cnt = ((size_t)len)/sizeof(SQLWCHAR);
 	}
 	if (! EQ_WSTR(&dbc->catalog, &catalog)) {
 		if (! dbc->catalog.cnt) {
@@ -2770,7 +2770,7 @@ SQLRETURN EsSQLSetConnectAttrW(
 		case SQL_ATTR_CURRENT_CATALOG:
 			DBGH(dbc, "setting current catalog to: `" LWPDL "`.",
 				/* string should be 0-term'd */
-				0 <= StringLength ? StringLength : SHRT_MAX,
+				0 <= StringLength ? StringLength/sizeof(SQLWCHAR) : SHRT_MAX,
 				(SQLWCHAR *)Value);
 			return check_catalog_name(dbc, (SQLWCHAR *)Value, StringLength);
 
diff --git a/driver/convert.c b/driver/convert.c
@@ -3917,7 +3917,9 @@ static SQLRETURN c2sql_str2interval(esodbc_rec_st *arec, esodbc_rec_st *irec,
 			INFOH(stmt, "translation buffer too small (%zu < %lld), "
 				"allocation needed.", sizeof(wbuff)/sizeof(wbuff[0]),
 				(size_t)octet_len);
-			wptr = malloc(octet_len * sizeof(SQLWCHAR));
+			/* 0-term is most of the time not counted in input str and
+			 * ascii_c2w() writes it -> always allocate space for it */
+			wptr = malloc((octet_len + 1) * sizeof(SQLWCHAR));
 			if (! wptr) {
 				ERRNH(stmt, "OOM for %lld x SQLWCHAR", octet_len);
 				RET_HDIAGS(stmt, SQL_STATE_HY001);
@@ -3936,6 +3938,8 @@ static SQLRETURN c2sql_str2interval(esodbc_rec_st *arec, esodbc_rec_st *irec,
 			}
 			/* should only happen on too short input string */
 			RET_HDIAGS(stmt, SQL_STATE_22018);
+		} else {
+			assert(ret <= octet_len + 1); /* no overrun */
 		}
 		wstr.str = wptr;
 		wstr.cnt = (size_t)octet_len;
