lsm/mdbtools
1
0
Fork 0
mirror of https://github.com/mdbtools/mdbtools.git synced 2026-02-25 21:26:41 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix potential stack corruption

Browse Source 
A mal-formed catalog could overrun certain stack variables. Move the
variables to the heap and allocate them to hold the active bind size.
This commit is contained in:
Evan Miller
2020-12-28 21:02:17 -05:00
parent d35807cd6c
commit a0ebd91114
1 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/libmdb/catalog.c
View File

@@ -67,11 +67,11 @@ GPtrArray *mdb_read_catalog (MdbHandle *mdb, int objtype)
{ {
MdbCatalogEntry *entry, msysobj; MdbCatalogEntry *entry, msysobj;
MdbTableDef *table; MdbTableDef *table;
char obj_id[256]; char *obj_id = NULL;
char obj_name[MDB_MAX_OBJ_NAME]; char *obj_name = NULL;
char obj_type[256]; char *obj_type = NULL;
char obj_flags[256]; char *obj_flags = NULL;
char obj_props[MDB_BIND_SIZE]; char *obj_props = NULL;
int type; int type;
int i; int i;
MdbColumn *col_props; MdbColumn *col_props;
@@ -82,6 +82,12 @@ GPtrArray *mdb_read_catalog (MdbHandle *mdb, int objtype)
mdb->catalog = g_ptr_array_new(); mdb->catalog = g_ptr_array_new();
mdb->num_catalog = 0; mdb->num_catalog = 0;
obj_id = malloc(mdb->bind_size);
obj_name = malloc(mdb->bind_size);
obj_type = malloc(mdb->bind_size);
obj_flags = malloc(mdb->bind_size);
obj_props = malloc(mdb->bind_size);
/* dummy up a catalog entry so we may read the table def */ /* dummy up a catalog entry so we may read the table def */
memset(&msysobj, 0, sizeof(MdbCatalogEntry)); memset(&msysobj, 0, sizeof(MdbCatalogEntry));
msysobj.mdb = mdb; msysobj.mdb = mdb;
@@ -146,6 +152,12 @@ cleanup:
if (table) if (table)
mdb_free_tabledef(table); mdb_free_tabledef(table);
free(obj_id);
free(obj_name);
free(obj_type);
free(obj_flags);
free(obj_props);
return mdb->catalog; return mdb->catalog;
} }