Message-ID: <gh-postgresql-interfaces-psqlodbc-119@github.com>
From: "kkevin-cloud (@kkevin-cloud)" <noreply+kkevin-cloud@github.com>
To: "postgresql-interfaces/psqlodbc" <noreply+postgresql-interfaces-psqlodbc@github.com>
Date: Tue, 27 May 2025 13:53:34 +0000
Subject: [postgresql-interfaces/psqlodbc] issue #119: Security: Potential integer overflow in bindcol_localize_exec()
List-Id: <gh-postgresql-interfaces-psqlodbc.github.com>
X-GitHub-Author-Id: 212338250
X-GitHub-Author-Login: kkevin-cloud
X-GitHub-Issue: 119
X-GitHub-Repo: postgresql-interfaces/psqlodbc
X-GitHub-State: closed
X-GitHub-Type: issue
X-GitHub-Url: https://github.com/postgresql-interfaces/psqlodbc/issues/119
Content-Type: text/plain; charset=utf-8

## Security Issue

A potential integer overflow vulnerability has been identified in the `bindcol_localize_exec()` function in `win_unicode.c`.

### Problem Description
The function `bindcol_localize_exec()` takes a `size_t n` parameter and passes it to `wstrtomsg()` which expects an `int` parameter. This implicit conversion from `size_t` (unsigned) to `int` (signed) can cause integer overflow when `n > INT_MAX`.

### Location
File: win_unicode.c
Function: `bindcol_localize_exec()`
Line: `l = wstrtomsg(wcsalc, ldt, n);`

### Impact
- Buffer size miscalculation due to integer overflow
- Potential buffer overflow
- Possible security vulnerability (CWE-190: Integer Overflow or Wraparound)

### Suggested Fix
Add a size check before the conversion:

```c
SQLLEN bindcol_localize_exec(char *ldt, size_t n, BOOL lf_conv, char **wcsbuf)
{
    SQLLEN l = (-2);
    
    if (n > INT_MAX) {
        // Handle error case
        return -1;
    }
    
    if (use_wcs)
    {
        wchar_t *wcsalc = (wchar_t *) *wcsbuf;
        l = wstrtomsg(wcsalc, ldt, (int)n);
    }
    // ...
}
```