From a51b14d4729c24033d126ae68413ab4ab45676d6 Mon Sep 17 00:00:00 2001
From: Stefan Roas <stefan.roas@fau.de>
Date: Fri, 13 Mar 2015 17:36:31 +0100
Subject: [PATCH] Buffer Overflow in dbdimp.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hi there,

I found a buffer overflow in dbdimp.c. Error messages in dbdimp.c use
sprintf to a fix-sized buffer that (quite likely in two cases) might be
too small to hold the final result.

Attached you find a patch that solves the problem by increasing the size
of the buffer to a value that should be large enough for every
conceivable input given the conversion specification and additionally
use snprintf() instead of sprintf(). As snprintf() is already used
somewhere else in dbdimp.c I figure there are no portability issues
involved.

I did not check the other uses of sprintf, although it might be
worthwhile to do so as a quick check found other locations where a
fix-sized buffer is involved.

Best regards,
  Stefan

--
Stefan Roas, Datenbanken und studentische Vefahren
Friedrich-Alexander-Universität Erlangen-Nürnberg
Regionales Rechenzentrum Erlangen (RRZE)
Hugenottenplatz 1A, 91054 Erlangen, Deutschland
Tel.: +49 9131 85-29018
Fax : +49 9131 85-25777
stefan.roas@fau.de
http://www.rrze.fau.de
---
 dbdimp.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- a/dbdimp.c
+++ b/dbdimp.c
@@ -18,6 +18,8 @@
 
 DBISTATE_DECLARE;
 
+#define ERRBUFSIZE  255
+
 #define IB_SQLtimeformat(xxh, format, sv)                             \
 do {                                                                  \
     STRLEN len;                                                       \
@@ -2187,8 +2189,8 @@
             /*
             * User passed an undef to a field that is not nullable.
             */
-            char err[80];
-            sprintf(err, "You have not provided a value for non-nullable parameter #%d.", i);
+            char err[ERRBUFSIZE];
+            snprintf(err, sizeof(err), "You have not provided a value for non-nullable parameter #%d.", i);
             do_error(sth, 1, err);
             retval = FALSE;
             return retval;
@@ -2227,8 +2229,8 @@
             else encoded = (U8*)string;
 
             if (len > ivar->sqllen) {
-                char err[80];
-                sprintf(err, "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu",
+                char err[ERRBUFSIZE];
+                snprintf(err, sizeof(err), "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu",
                         (long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen)));
                 break;
             }
@@ -2262,8 +2264,8 @@
             else encoded = (U8*)string;
 
             if (len > ivar->sqllen) {
-                char err[80];
-                sprintf(err, "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu",
+                char err[ERRBUFSIZE];
+                snprintf(err, sizeof(err), "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu",
                         (long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen)));
                 break;
             }