Hello,
I found a memory overrun error in glpsql.c in glpk version 4.44
In routine
static char **args_concat(TABDCA *dca)
There is:
j0 = 3;
i = 0;
lentot = 0;
for (j = 3; j <= narg; j++)
{
arg = mpl_tab_get_arg(dca, j);
len = strlen(arg);
lentot += len;
if (arg[len-1] == ';' || j == narg)
{ /* Join arguments for a single SQL statement */
sqllines[i] = xmalloc(lentot+1);
sqllines[i+1] = NULL;
sqllines[i][0] = 0x00;
for (j1 = j0; j1 <= j; j1++)
{ if(j1>j0)
strcat(sqllines[i], " ");
strcat(sqllines[i], mpl_tab_get_arg(dca, j1));
}
len = strlen(sqllines[i]);
if (sqllines[i][len-1] == ';')
sqllines[i][len-1] = 0x00;
j0 = j+1;
i++;
lentot = 0;
}
}
The error is a memory overrun of sqllines[i] because of the statement
if(j1>j0)
strcat(sqllines[i], " ");
The problem is that when allocating memory via
sqllines[i] = xmalloc(lentot+1);
that lentot does not consider that space.
So I think the code must be:
j0 = 3;
i = 0;
lentot = 0;
for (j = 3; j <= narg; j++)
{
arg = mpl_tab_get_arg(dca, j);
len = strlen(arg);
lentot += len;
if (j>j0)
lentot++; /* added by peno */
if (arg[len-1] == ';' || j == narg)
{ /* Join arguments for a single SQL statement */
sqllines[i] = xmalloc(lentot+1);
sqllines[i+1] = NULL;
sqllines[i][0] = 0x00;
for (j1 = j0; j1 <= j; j1++)
{ if(j1>j0)
strcat(sqllines[i], " ");
strcat(sqllines[i], mpl_tab_get_arg(dca, j1));
}
len = strlen(sqllines[i]);
if (sqllines[i][len-1] == ';')
sqllines[i][len-1] = 0x00;
j0 = j+1;
i++;
lentot = 0;
}
}
note the comment /* added by peno */
Best regards,
Peter Notebaert_______________________________________________
Bug-glpk mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/bug-glpk
