From df86ee35791143d29625c9d87ca4f3a25f972f5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Fri, 26 Jan 2018 14:02:53 +0200 Subject: [PATCH] Fix buffer overflow assertions The buffer overflow assertions were off by one: The data pointer can be equal to the end pointer when the last column of the row is processed. --- server/modules/routing/avrorouter/avro_rbr.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/server/modules/routing/avrorouter/avro_rbr.c b/server/modules/routing/avrorouter/avro_rbr.c index d3b5c6a87..4c506f284 100644 --- a/server/modules/routing/avrorouter/avro_rbr.c +++ b/server/modules/routing/avrorouter/avro_rbr.c @@ -564,7 +564,7 @@ uint8_t* process_row_event_data(TABLE_MAP *map, TABLE_CREATE *create, avro_value avro_value_set_string(&field, strval); sprintf(trace[i], "[%ld] ENUM: %lu bytes", i, bytes); ptr += bytes; - check_overflow(ptr < end); + check_overflow(ptr <= end); } else { @@ -600,7 +600,7 @@ uint8_t* process_row_event_data(TABLE_MAP *map, TABLE_CREATE *create, avro_value str[bytes] = '\0'; avro_value_set_string(&field, str); ptr += bytes; - check_overflow(ptr < end); + check_overflow(ptr <= end); } } else if (column_is_bit(map->column_types[i])) @@ -619,7 +619,7 @@ uint8_t* process_row_event_data(TABLE_MAP *map, TABLE_CREATE *create, avro_value avro_value_set_int(&field, value); sprintf(trace[i], "[%ld] BIT", i); ptr += bytes; - check_overflow(ptr < end); + check_overflow(ptr <= end); } else if (column_is_decimal(map->column_types[i])) { @@ -627,7 +627,7 @@ uint8_t* process_row_event_data(TABLE_MAP *map, TABLE_CREATE *create, avro_value ptr += unpack_decimal_field(ptr, metadata + metadata_offset, &f_value); avro_value_set_double(&field, f_value); sprintf(trace[i], "[%ld] DECIMAL", i); - check_overflow(ptr < end); + check_overflow(ptr <= end); } else if (column_is_variable_string(map->column_types[i])) { @@ -650,7 +650,7 @@ uint8_t* process_row_event_data(TABLE_MAP *map, TABLE_CREATE *create, avro_value buf[sz] = '\0'; ptr += sz; avro_value_set_string(&field, buf); - check_overflow(ptr < end); + check_overflow(ptr <= end); } else if (column_is_blob(map->column_types[i])) { @@ -669,7 +669,7 @@ uint8_t* process_row_event_data(TABLE_MAP *map, TABLE_CREATE *create, avro_value uint8_t nullvalue = 0; avro_value_set_bytes(&field, &nullvalue, 1); } - check_overflow(ptr < end); + check_overflow(ptr <= end); } else if (column_is_temporal(map->column_types[i])) { @@ -681,7 +681,7 @@ uint8_t* process_row_event_data(TABLE_MAP *map, TABLE_CREATE *create, avro_value format_temporal_value(buf, sizeof(buf), map->column_types[i], &tm); avro_value_set_string(&field, buf); sprintf(trace[i], "[%ld] %s: %s", i, column_type_to_string(map->column_types[i]), buf); - check_overflow(ptr < end); + check_overflow(ptr <= end); } /** All numeric types (INT, LONG, FLOAT etc.) */ else @@ -692,7 +692,7 @@ uint8_t* process_row_event_data(TABLE_MAP *map, TABLE_CREATE *create, avro_value &metadata[metadata_offset], lval); set_numeric_field_value(&field, map->column_types[i], &metadata[metadata_offset], lval); sprintf(trace[i], "[%ld] %s", i, column_type_to_string(map->column_types[i])); - check_overflow(ptr < end); + check_overflow(ptr <= end); } ss_dassert(metadata_offset <= map->column_metadata_size); metadata_offset += get_metadata_len(map->column_types[i]);