A recent change to the String class (sql_string.h) causes a crash or overwrite.

This is the new code:

  inline char *c_ptr()
  {
    if (str_length == Alloced_length)
      (void) realloc(str_length);
    else
      Ptr[str_length]= 0;
  }

The problem is that Alloced_length can be zero. This means the buffer was not allocated in the string object.

In this case the function either crashes or overwrites.

This is the original implementation, which looks fine to me, except that it might not be "safe":

  inline char *c_ptr()
  {
    if (!Ptr || Ptr[str_length])                /* Should be safe */
      (void) realloc(str_length);
    return Ptr;
  }

It may not be safe because the user of c_ptr may not always be able to assume the zero terminator will remain zero.

For this purpose we have String::c_ptr_safe().

Anyway, the question: was this the reason for the change to String::c_ptr()?


--
Paul McCullagh
PrimeBase Technologies
www.primebase.org
www.blobstreaming.org
pbxt.blogspot.com




_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help   : https://help.launchpad.net/ListHelp

Reply via email to