Thread: Buffer overrun in copy_statement_with_parameters ?

Buffer overrun in copy_statement_with_parameters ?

From
lothar.behrens@lollisoft.de
Date:
Hi,

currently I try to find malloc bugs in my code and it may be that some of the
mpatrol log entries are related to the following function in convert.c:

copy_statement_with_parameters(...)

Mpatrol reports

ERROR: [RNGOVF]: memcpy: range [0x08070370,0x0807038A] overflows
[0x08070350,0x0
807037E]
    0x08070350 (47 bytes) {malloc:5667:0} [-|-|-]
        0x4058DC9E ???                                  <------- Used as breakpoint
        0x4058BFD2 ???
        0x405A168C ???
        0x4051B60B ???
        0x4048B3FC ???
        0x08049578 main+1452
        0x401D1500 __libc_start_main+224
        0x08048F31 _start+33

But if I print out some debug messages, it seems ok. The buffer is about 4096
bytes.

Any ideas ?

I have SuSE 9.1/mpatrol 1.4.8/psqlODBC 07.03.0200

Thanks, Lothar

// ...
            if (0 != (qb->flags & FLGB_KEYSET_DRIVEN))
            {
                qb->npos = npos;
                /* ----------
                 * 1st query is for field information
                 * 2nd query is keyset gathering
                 */
                CVT_APPEND_STR(qb, " where ctid = '(0,0)';select
ctid, oid from ");
                //- Problematic code -----------------------
                CVT_APPEND_DATA(qb, qp->statement + qp-
>from_pos + 5, npos - qp->from_pos - 5);
                //-------------------------------------------------
            }
        }
        stmt->load_statement = malloc(npos + 1);
        memcpy(stmt->load_statement, qb->query_statement, npos);
        stmt->load_statement[npos] = '\0';
    }
#endif   /* DRIVER_CURSOR_IMPLEMENT */

--
Lothar Behrens    |    Rapid Prototyping ...
Rosmarinstr 3        |
40235 Düsseldorf      |    www.lollisoft.de