Bugs item #1609157, was opened at 2006-12-05 11:57
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=642714&aid=1609157&group_id=105970
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: extensions
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: James Hebben (hebbja)
Assigned to: Scott Kurtzeborn (scotk)
Summary: SqlScript task may execute with garbage SQL chars
Initial Comment:
I have been experiencing failures from the SqlScript task in Wix
(wix-2.0.4415.0) and I have tracked the problem to a bug in the C++ code that
reads the script contents into memory. This error is also present in the HEAD
Wix 3 code base.
Description:
~~~~~~~~~~~~
When installing a Wix MSI that uses the SqlScript task, an error may occur with
the following message:
"Error -2147218900: failed to execute SQL string, error detail:..."
This error only occurs when the SqlScript task references a UNICODE file.
The bug is in the C++ extension code that processes the stream record that
contains the SQL file contents.
File: src\ca\serverca\scasched\scasqlstr.cpp
Function: ScaSqlStrsReadScripts
Line (wix-2.0.4415.0): 231
Snippet:
~~~~~~~~
else
{
cchScript = (cbScript / sizeof(WCHAR));//because we'll start copying after
the 'unicode file' character, we don't need +1 for null
hr = StrAllocString(&wzTmp, ((WCHAR*)szScript) + 1, cchScript);
Bug description:
~~~~~~~~~~~~~~~~
The local cchScript contains the WCHAR count of the FULL stream (I.E. a count
that includes the leading UNICODE marker code).
The comment states that "we don't need +1 for null". This is only partly true.
The problem is that the call to StrAllocString asks to copy cchScript elements
from "((WCHAR*)szScript) + 1" and that from WCHAR position 1 to (and including)
one WCHAR past the end of "((WCHAR*)szScript"
Now, the local szScript is NOT a NULL terminated string. This means that one
character past the end of the string is copied to the destination and, if that
string is 'bad garbage' then the resultant SQL string will end in an illegal
character, possibly resulting in a mall-formed SQL string.
Example:
~~~~~~~~
ASCII stream retrieved from MSI:
UNICODE_MARKER1|UNICODE_MARKER2|CHAR1_1|CHAR1_2|CHAR2_1|CHAR2_2
cbScript=6
UNICODE stream equivalent (without UNICODE markers)
WCHAR1|WCHAR2
cchScript=3 (cbScript/2)
Code calls StrAllocString to copy cchScript FROM UNICODE stream to destination.
I.E. Copy this lot please:
WCHAR1|WCHAR2|WCHAR?
WCHAR? is whatever happens to be at the memory address immedately following the
end of the SQL stream.
Fix:
~~~~
The call to StrAllocString should request to copy "cchScript-1" WCHARS:
hr = StrAllocString(&wzTmp, ((WCHAR*)szScript) + 1, cchScript-1);
AND a NULL terminator must then be placed at the end of the destination string
(as with the ASCII copy):
wzTmp[cchScript-1] = 0;
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=642714&aid=1609157&group_id=105970
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
WiX-devs mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wix-devs
