Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-37508

QIBaseDriver::open() corrupts memory heap

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P2: Important
    • 4.8.6, 5.3.0
    • 4.8.4, 4.8.5, 5.0.0, 5.1.0 , 5.2.0
    • SQL Support
    • None
    • Microsoft Visual C++ Compiler 10.0 (x86)
      Windows 7 SP1
      Qt 5.2.0
    • 0d50efeae9829336ffb7e47692cfdc649e10ee70 (stable, 18.4.2014,5.3) Qt 4: c1d177d52cfffe61198cfa5ec76bae0c2f44a362 (4.8, 19.3.2014)

    Description

      Byte array size less than necessary:

      QByteArray ba;
      ba.resize(usr.length() + pass.length() + enc.length() + role.length() + 6); // 6 additional bytes was allocated (why only 6?)
      int i = -1;
      ba[++i] = isc_dpb_version1; // first
      ba[++i] = isc_dpb_user_name; // second
      ba[++i] = usr.length(); // third
      memcpy(ba.data() + ++i, usr.data(), usr.length());
      i += usr.length();
      ba[i] = isc_dpb_password; // fourth
      ba[++i] = pass.length(); // fifth
      memcpy(ba.data() + ++i, pass.data(), pass.length());
      i += pass.length();
      ba[i] = isc_dpb_lc_ctype; // sixth
      ba[++i] = enc.length(); // !!!!!! seventh
      memcpy(ba.data() + ++i, enc.data(), enc.length());
      i += enc.length();

      if (!role.isEmpty())

      { ba[i] = isc_dpb_sql_role_name; // !!!!!!! ba[++i] = role.length(); // !!!!!!! memcpy(ba.data() + ++i, role.data(), role.length()); i += role.length(); }

      Attachments

        For Gerrit Dashboard: QTBUG-37508
        # Subject Branch Project Status CR V

        Activity

          People

            kleint Friedemann Kleint
            akm-47 Grigory Kalashnikov
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes