commit 2e5dad443a30055d93dbcb3bf9cac906e80b2e25
author Mike Kaganski <mike.kaganski@collabora.com> Wed Sep 01 17:41:05 2021 +0200
committer Mike Kaganski <mike.kaganski@collabora.com> Thu Sep 02 06:11:08 2021 +0200
tree 399c956979675a7e63193dcdc8a662cb8c0e253e
parent 368e21fbc34fa4104f16498a54ab77704f39e6b4

tdf#144230: sanitize string length embedded in SQL_VARYING data

It is unclear why the length may be wrong; but at least be safe to
avoid buffer overruns.

Wrt the validity of sqllen here: see SQLDAMetadata::scatterData in
firebird's src/yvalve/why.cpp.

Change-Id: Icc24c1cc0db66c20732188ab0621cde53c1ba5c2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/121458
Tested-by: Jenkins
Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>

connectivity/source/drivers/firebird/ResultSet.cxx

diff --git a/connectivity/source/drivers/firebird/ResultSet.cxx b/connectivity/source/drivers/firebird/ResultSet.cxx
index 0e0361a..17e87cf 100644
--- a/connectivity/source/drivers/firebird/ResultSet.cxx
+++ b/connectivity/source/drivers/firebird/ResultSet.cxx
@@ -579,10 +579,11 @@
    else if (aSqlType == SQL_VARYING)
    {
        // First 2 bytes are a short containing the length of the string
        // No idea if sqllen is still valid here?
        // Under unclear conditions, it may be wrong and greater than sqllen.
        sal_uInt16 aLength = *reinterpret_cast<sal_uInt16*>(m_pSqlda->sqlvar[nColumnIndex-1].sqldata);
        // Use greater signed type sal_Int32 to get the minimum of two 16-bit values
        return OUString(m_pSqlda->sqlvar[nColumnIndex-1].sqldata + 2,
                        aLength,
                        std::min<sal_Int32>(aLength, m_pSqlda->sqlvar[nColumnIndex-1].sqllen),
                        RTL_TEXTENCODING_UTF8);
    }
    else if ((aSqlType == SQL_SHORT || aSqlType == SQL_LONG ||