https://bugs.documentfoundation.org/show_bug.cgi?id=112947
Bug ID: 112947
Summary: Possible write to free'd memory in OResultSet.cxx
Product: LibreOffice
Version: 5.4.2.2 release
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: LibreOffice
Assignee: [email protected]
Reporter: [email protected]
I noticed while writing an ODBC driver and running with valgrind I noticed that
creating a DB query could lead to the driver writing to free'd space.
Process is in OResultSet.cxx
Row status array is allocated and set in the driver
m_pRowStatusArray = new SQLUSMALLINT[1]; // the default value
setStmtOption<SQLUSMALLINT*, SQL_IS_POINTER>(SQL_ATTR_ROW_STATUS_PTR,
m_pRowStatusArray);
However in the destructor, when OResultSet is released, m_pRowStatusArray is
released, but the address is not reset in the ODBC driver, so next time that
statement is used, that address is referenced.
A simple (and seems to work) fix is to reset the value when its released.
OResultSet::~OResultSet()
{
setStmtOption<SQLUSMALLINT*, SQL_IS_POINTER>(SQL_ATTR_ROW_STATUS_PTR,
NULL);
delete [] m_pRowStatusArray;
delete m_pSkipDeletedSet;
}
--
You are receiving this mail because:
You are the assignee for the bug._______________________________________________
Libreoffice-bugs mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
