bug-glpk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-glpk] bug in glpk 4.44 in glpsql.c

From: glpk xypron
Subject: Re: [Bug-glpk] bug in glpk 4.44 in glpsql.c
Date: Thu, 15 Jul 2010 22:14:43 +0200 
Hello Peter,

thank you for indentifying the bug.

I guess Andrew will incorporate the patch in the next release.

The problem probably went undetected because memory assigned
by malloc is aligned on many systems, giving spare bytes
in some cases.

Could you, please, indicate the platform on which you 
experienced the error and provide an example table statement
that leads to the error.

This will allow the construction of a test case.

Best regards

Xypron

-------- Original-Nachricht --------
> Datum: Thu, 15 Jul 2010 00:16:58 +0200
> Betreff: [Bug-glpk] bug in glpk 4.44 in glpsql.c

> Hello,
> 
> I found a memory overrun error in glpsql.c in glpk version 4.44
> 
> In routine
> 
> static char **args_concat(TABDCA *dca)
> 
> There is:
> 
>    j0     = 3;
>    i      = 0;
>    lentot = 0;
>    for (j = 3; j <= narg; j++)
>    {
>       arg = mpl_tab_get_arg(dca, j);
>       len = strlen(arg);
>       lentot += len;
>       if (arg[len-1] == ';' || j == narg)
>       {  /* Join arguments for a single SQL statement */
>          sqllines[i] = xmalloc(lentot+1);
>          sqllines[i+1] = NULL;
>          sqllines[i][0] = 0x00;
>          for (j1 = j0; j1 <= j; j1++)
>          {  if(j1>j0)
>                strcat(sqllines[i], " ");
>             strcat(sqllines[i], mpl_tab_get_arg(dca, j1));
>          }
>          len = strlen(sqllines[i]);
>          if (sqllines[i][len-1] == ';')
>             sqllines[i][len-1] = 0x00;
>          j0 = j+1;
>          i++;
>          lentot = 0;
>       }
>    }
> 
> The error is a memory overrun of sqllines[i] because of the statement
> 
> if(j1>j0)
>                strcat(sqllines[i], " ");
> 
> The problem is that when allocating memory via 
> 
> sqllines[i] = xmalloc(lentot+1);
> 
> that lentot does not consider that space.
> 
> So I think the code must be:
> 
>    j0     = 3;
>    i      = 0;
>    lentot = 0;
>    for (j = 3; j <= narg; j++)
>    {
>       arg = mpl_tab_get_arg(dca, j);
>       len = strlen(arg);
>       lentot += len;
>       if (j>j0)
>           lentot++; /* added by peno */
>       if (arg[len-1] == ';' || j == narg)
>       {  /* Join arguments for a single SQL statement */
>          sqllines[i] = xmalloc(lentot+1);
>          sqllines[i+1] = NULL;
>          sqllines[i][0] = 0x00;
>          for (j1 = j0; j1 <= j; j1++)
>          {  if(j1>j0)
>                strcat(sqllines[i], " ");
>             strcat(sqllines[i], mpl_tab_get_arg(dca, j1));
>          }
>          len = strlen(sqllines[i]);
>          if (sqllines[i][len-1] == ';')
>             sqllines[i][len-1] = 0x00;
>          j0 = j+1;
>          i++;
>          lentot = 0;
>       }
>    }
> 
> note the comment /* added by peno */
> 
> Best regards,
> 
> Peter Notebaert

-- 
GMX DSL: Internet-, Telefon- und Handy-Flat ab 19,99 EUR/mtl.  
Bis zu 150 EUR Startguthaben inklusive! http://portal.gmx.net/de/go/dsl
reply via email to
[Prev in Thread] Current Thread [Next in Thread]