Package: libdbd-firebird-perl Version: 0.91-2 Severity: grave Tags: security upstream patch X-Debbugs-CC: secur...@debian.org
Filing as a bug report. ----- Forwarded message from Stefan Roas <stefan.r...@fau.de> ----- From: Stefan Roas <stefan.r...@fau.de> Subject: [Dbd-firebird-devel] Buffer Overflow in dbdimp.c To: dbd-firebird-de...@lists.alioth.debian.org Date: Fri, 13 Mar 2015 17:36:31 +0100 Hi there, I found a buffer overflow in dbdimp.c. Error messages in dbdimp.c use sprintf to a fix-sized buffer that (quite likely in two cases) might be too small to hold the final result. Attached you find a patch that solves the problem by increasing the size of the buffer to a value that should be large enough for every conceivable input given the conversion specification and additionally use snprintf() instead of sprintf(). As snprintf() is already used somewhere else in dbdimp.c I figure there are no portability issues involved. I did not check the other uses of sprintf, although it might be worthwhile to do so as a quick check found other locations where a fix-sized buffer is involved. Best regards, Stefan -- Stefan Roas, Datenbanken und studentische Vefahren Friedrich-Alexander-Universität Erlangen-Nürnberg Regionales Rechenzentrum Erlangen (RRZE) Hugenottenplatz 1A, 91054 Erlangen, Deutschland Tel.: +49 9131 85-29018 Fax : +49 9131 85-25777 stefan.r...@fau.de http://www.rrze.fau.de diff --git a/dbdimp.c b/dbdimp.c index d985368..dbdf8e3 100644 --- a/dbdimp.c +++ b/dbdimp.c @@ -21,6 +21,8 @@ DBISTATE_DECLARE; +#define ERRBUFSIZE 255 + #define IB_SQLtimeformat(xxh, format, sv) \ do { \ STRLEN len; \ @@ -2237,8 +2239,8 @@ static int ib_fill_isqlda(SV *sth, imp_sth_t *imp_sth, SV *param, SV *value, /* * User passed an undef to a field that is not nullable. */ - char err[80]; - sprintf(err, "You have not provided a value for non-nullable parameter #%d.", i); + char err[ERRBUFSIZE]; + snprintf(err, sizeof(err), "You have not provided a value for non-nullable parameter #%d.", i); do_error(sth, 1, err); retval = FALSE; return retval; @@ -2278,8 +2280,8 @@ static int ib_fill_isqlda(SV *sth, imp_sth_t *imp_sth, SV *param, SV *value, string = SvPV(value, len); if (len > ivar->sqllen) { - char err[80]; - sprintf(err, "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu", + char err[ERRBUFSIZE]; + snprintf(err, sizeof(err), "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu", (long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen))); break; } @@ -2301,8 +2303,8 @@ static int ib_fill_isqlda(SV *sth, imp_sth_t *imp_sth, SV *param, SV *value, string = SvPV(value, len); if (len > ivar->sqllen) { - char err[80]; - sprintf(err, "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu", + char err[ERRBUFSIZE]; + snprintf(err, sizeof(err), "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu", (long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen))); break; } ----- End forwarded message ----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
