Hi!

Was a part of a bug fix:
http://bazaar.launchpad.net/%7Edrizzle-developers/drizzle/development/revision/1022.5.1

So we need to patch this.

Cheers,
        -Brian

On May 27, 2009, at 5:52 AM, Paul McCullagh wrote:

A recent change to the String class (sql_string.h) causes a crash or overwrite.

This is the new code:

 inline char *c_ptr()
 {
   if (str_length == Alloced_length)
     (void) realloc(str_length);
   else
     Ptr[str_length]= 0;
 }

The problem is that Alloced_length can be zero. This means the buffer was not allocated in the string object.

In this case the function either crashes or overwrites.

This is the original implementation, which looks fine to me, except that it might not be "safe":

 inline char *c_ptr()
 {
   if (!Ptr || Ptr[str_length])         /* Should be safe */
     (void) realloc(str_length);
   return Ptr;
 }

It may not be safe because the user of c_ptr may not always be able to assume the zero terminator will remain zero.

For this purpose we have String::c_ptr_safe().

Anyway, the question: was this the reason for the change to String::c_ptr()?


--
Paul McCullagh
PrimeBase Technologies
www.primebase.org
www.blobstreaming.org
pbxt.blogspot.com




_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help   : https://help.launchpad.net/ListHelp

--
_______________________________________________________
Brian "Krow" Aker, brian at tangent.org
Seattle, Washington
http://krow.net/                     <-- Me
http://tangent.org/                <-- Software
_______________________________________________________
You can't grep a dead tree.




_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help   : https://help.launchpad.net/ListHelp

Reply via email to