Re: SQLGetInfo buffer overflow?

Wed, Jan 25, 2006 at 11:52:13AM -0500, Tom Lane napsal(a):
> Anyone have a comment on
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178925

I see no problem without Unicode support. I'm not sure with unicode version.

RETCODE SQL_API PGAPI_GetInfo(
HDBC hdbc,
UWORD fInfoType, // 18
PTR rgbInfoValue, // output buffer
SWORD cbInfoValueMax, // size of output buffer
SWORD FAR * pcbInfoValue) // returned length
{
char *p = NULL,
tmp[MAX_INFO_STRING];
int len = 0;

...

switch (fInfoType)
case SQL_DBMS_VER:
snprintf(tmp, sizeof(tmp) - 1, "%s %s", POSTGRESDRIVERVERSION, conn->pg_version);
tmp[sizeof(tmp) - 1] = '\0';
p = tmp;
break;

...

result = SQL_SUCCESS;

if (p) {
len = strlen(p);
#ifdef UNICODE_SUPPORT
if (conn->unicode)
len = len * WCLEN;
#endif
if (rgbInfoValue) {
#ifdef UNICODE_SUPPORT
if (conn->unicode)
len = utf8_to_ucs2(p, len, (SQLWCHAR *) rgbInfoValue, cbInfoValueMax / 2);
else
#endif
strncpy_null((char *) rgbInfoValue, p, (size_t) cbInfoValueMax);

if (len >= cbInfoValueMax) {
result = SQL_SUCCESS_WITH_INFO;
CC_set_error(conn, CONN_TRUNCATED, "The buffer was too small for the InfoValue.");
}
}
}

...

if (pcbInfoValue)
*pcbInfoValue = len;

mylog("%s: p='%s', len=%d, value=%d, cbMax=%d\n", func, p ? p : "<NULL>", len, value, cbInfoValueMax);

return result;
}

I have no time for this issue until next week. The code is located
in info.c.

Regards,

Luf