[postgresql-interfaces/psqlodbc] issue #119: Security: Potential integer overflow in bindcol_localize

postgresql-interfaces/psqlodbc GitHub issues and pull requests (mirror)  
help / color / mirror / Atom feed

[postgresql-interfaces/psqlodbc] issue #119: Security: Potential integer overflow in bindcol_localize_exec()
2+ messages / 2 participants
[nested] [flat]

* [postgresql-interfaces/psqlodbc] issue #119: Security: Potential integer overflow in bindcol_localize_exec()
@ 2025-05-27 13:53 "kkevin-cloud (@kkevin-cloud)" <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: kkevin-cloud (@kkevin-cloud) @ 2025-05-27 13:53 UTC (permalink / raw)
  To: postgresql-interfaces/psqlodbc <[email protected]>

## Security Issue

A potential integer overflow vulnerability has been identified in the `bindcol_localize_exec()` function in `win_unicode.c`.

### Problem Description
The function `bindcol_localize_exec()` takes a `size_t n` parameter and passes it to `wstrtomsg()` which expects an `int` parameter. This implicit conversion from `size_t` (unsigned) to `int` (signed) can cause integer overflow when `n > INT_MAX`.

### Location
File: win_unicode.c
Function: `bindcol_localize_exec()`
Line: `l = wstrtomsg(wcsalc, ldt, n);`

### Impact
- Buffer size miscalculation due to integer overflow
- Potential buffer overflow
- Possible security vulnerability (CWE-190: Integer Overflow or Wraparound)

### Suggested Fix
Add a size check before the conversion:

```c
SQLLEN bindcol_localize_exec(char *ldt, size_t n, BOOL lf_conv, char **wcsbuf)
{
    SQLLEN l = (-2);
    
    if (n > INT_MAX) {
        // Handle error case
        return -1;
    }
    
    if (use_wcs)
    {
        wchar_t *wcsalc = (wchar_t *) *wcsbuf;
        l = wstrtomsg(wcsalc, ldt, (int)n);
    }
    // ...
}
```


^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: [postgresql-interfaces/psqlodbc] issue #119: Security: Potential integer overflow in bindcol_localize_exec()
@ 2025-05-27 15:15 "davecramer (@davecramer)" <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: davecramer (@davecramer) @ 2025-05-27 15:15 UTC (permalink / raw)
  To: postgresql-interfaces/psqlodbc <[email protected]>

closed via PR #121 

^ permalink  raw  reply  [nested|flat] 2+ messages in thread

end of thread, other threads:[~2025-05-27 15:15 UTC | newest]

Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-05-27 13:53 [postgresql-interfaces/psqlodbc] issue #119: Security: Potential integer overflow in bindcol_localize_exec() "kkevin-cloud (@kkevin-cloud)" <[email protected]>
2025-05-27 15:15 Re: [postgresql-interfaces/psqlodbc] issue #119: Security: Potential integer overflow in bindcol_localize_exec() "davecramer (@davecramer)" <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox