Alex Peshkoff via Firebird-devel wrote 07.09.2022 18:26:
Not sure what you mean by 'terminal item', but it may be followed by
isc_info_end if that fits into buffer.
What about two bytes length - it's single-byte item not followed by anything.
see how it's added:
Ok, now see how it is handled:
while (!redo && *p != isc_info_end && p < buf + buf_len)
{
const UCHAR item = *p++;
const USHORT len = static_cast<USHORT>(gds__vax_integer(p, 2));
p += 2;
switch (item)
{
.......
case isc_info_truncated:
redo = true;
break;
default:
(Arg::Gds(isc_random) << "Invalid info item").raise();
}
p += len;
}
At fourth line you can get read-past-buffer and may be crash. And this code
is copy-pasted everywhere in Firebird source.
--
WBR, SD.
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
