[postgresql-interfaces/psqlodbc] issue #119: Security: Potential integer overflow in bindcol_localize_exec()

postgresql-interfaces/psqlodbc GitHub issues and pull requests (mirror)  
help / color / mirror / Atom feed

From: kkevin-cloud (@kkevin-cloud) <[email protected]>
To: postgresql-interfaces/psqlodbc <[email protected]>
Subject: [postgresql-interfaces/psqlodbc] issue #119: Security: Potential integer overflow in bindcol_localize_exec()
Date: Tue, 27 May 2025 13:53:34 +0000
Message-ID: <[email protected]> (raw)

## Security Issue

A potential integer overflow vulnerability has been identified in the `bindcol_localize_exec()` function in `win_unicode.c`.

### Problem Description
The function `bindcol_localize_exec()` takes a `size_t n` parameter and passes it to `wstrtomsg()` which expects an `int` parameter. This implicit conversion from `size_t` (unsigned) to `int` (signed) can cause integer overflow when `n > INT_MAX`.

### Location
File: win_unicode.c
Function: `bindcol_localize_exec()`
Line: `l = wstrtomsg(wcsalc, ldt, n);`

### Impact
- Buffer size miscalculation due to integer overflow
- Potential buffer overflow
- Possible security vulnerability (CWE-190: Integer Overflow or Wraparound)

### Suggested Fix
Add a size check before the conversion:

```c
SQLLEN bindcol_localize_exec(char *ldt, size_t n, BOOL lf_conv, char **wcsbuf)
{
    SQLLEN l = (-2);
    
    if (n > INT_MAX) {
        // Handle error case
        return -1;
    }
    
    if (use_wcs)
    {
        wchar_t *wcsalc = (wchar_t *) *wcsbuf;
        l = wstrtomsg(wcsalc, ldt, (int)n);
    }
    // ...
}
```

view thread (2+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: github://postgresql-interfaces/psqlodbc
  Cc: [email protected], [email protected]
  Subject: Re: [postgresql-interfaces/psqlodbc] issue #119: Security: Potential integer overflow in bindcol_localize_exec()
  In-Reply-To: <<[email protected]>>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox