Skip to content

Commit

Permalink
Fix potential buffer overflow in CPLODBCSession::Failed (#1390)
Browse files Browse the repository at this point in the history
  • Loading branch information
@szekerest
szekerest authored Mar 27, 2019
1 parent 25400d3 commit d81e08e
Showing 1 changed file with 16 additions and 5 deletions.
21 changes: 16 additions & 5 deletions gdal/port/cpl_odbc.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -345,22 +345,33 @@ int CPLODBCSession::Failed( int nRetCode, HSTMT hStmt )
for(SQLSMALLINT nRecNum = 1; nDiagRetCode == SQL_SUCCESS; ++nRecNum)
{
SQLCHAR achSQLState[5 + 1] = {};
SQLCHAR achCurErrMsg[SQL_MAX_MESSAGE_LENGTH] = {};
SQLCHAR* pachCurErrMsg = static_cast<SQLCHAR *>(CPLMalloc((SQL_MAX_MESSAGE_LENGTH + 1) * sizeof(SQLCHAR)));
SQLSMALLINT nTextLength = 0;
SQLINTEGER nNativeError = 0;

nDiagRetCode = SQLGetDiagRec( SQL_HANDLE_STMT, hStmt, nRecNum,
achSQLState, &nNativeError,
reinterpret_cast<SQLCHAR *>(achCurErrMsg),
sizeof(achCurErrMsg) - 1, &nTextLength );
reinterpret_cast<SQLCHAR *>(pachCurErrMsg),
SQL_MAX_MESSAGE_LENGTH, &nTextLength );
if (nDiagRetCode == SQL_SUCCESS ||
nDiagRetCode == SQL_SUCCESS_WITH_INFO)
{
achCurErrMsg[nTextLength] = '\0';
if (nTextLength >= SQL_MAX_MESSAGE_LENGTH)
{
// the buffer wasn't enough, retry
SQLSMALLINT nTextLength2 = 0;
pachCurErrMsg = static_cast<SQLCHAR *>(CPLRealloc(pachCurErrMsg, (nTextLength + 1) * sizeof(SQLCHAR)));
nDiagRetCode = SQLGetDiagRec(SQL_HANDLE_STMT, hStmt, nRecNum,
achSQLState, &nNativeError,
reinterpret_cast<SQLCHAR *>(pachCurErrMsg),
nTextLength, &nTextLength2);
}
pachCurErrMsg[nTextLength] = '\0';
m_osLastError += CPLString().Printf("%s[%5s]%s(" CPL_FRMT_GIB ")",
(m_osLastError.empty() ? "" : ", "), achSQLState,
achCurErrMsg, static_cast<GIntBig>(nNativeError));
pachCurErrMsg, static_cast<GIntBig>(nNativeError));
}
CPLFree(pachCurErrMsg);
}

if( nRetCode == SQL_ERROR && m_bInTransaction )
Expand Down

0 comments on commit d81e08e

Please sign in to comment.