Message-ID: From: "0xYashwanth (@0xYashwanth)" To: "postgresql-interfaces/psqlodbc" Date: Mon, 22 Dec 2025 11:08:47 +0000 Subject: [postgresql-interfaces/psqlodbc] issue #149: Unsigned Integer Underflow in convert_to_pgbinary() List-Id: X-GitHub-Author-Id: 106170210 X-GitHub-Author-Login: 0xYashwanth X-GitHub-Issue: 149 X-GitHub-Repo: postgresql-interfaces/psqlodbc X-GitHub-State: closed X-GitHub-Type: issue X-GitHub-Url: https://github.com/postgresql-interfaces/psqlodbc/issues/149 Content-Type: text/plain; charset=utf-8 **Bug Report: Unsigned Integer Underflow in convert_to_pgbinary()** **Summary:** `convert_to_pgbinary()` in convert.c does not check for error return from `pg_bin2hex()`, causing unsigned integer underflow when buffer overlap is detected. **Location:** File: convert.c, Function: `convert_to_pgbinary()`, Line: ~6325 **Issue:** ```c size_t o = 0; // unsigned // ... o becomes 3 after adding escape prefix o += pg_bin2hex(in, out + o, len); // Can return -1 on error return o; // Returns corrupted value ``` When `pg_bin2hex()` detects dangerous buffer overlap, it returns -1. This signed value is added to the unsigned `size_t` variable `o`, causing wraparound. The function then returns success with a corrupted length instead of propagating the error. **Impact:** - Error condition silently ignored - Caller receives invalid data with incorrect length - Potential buffer overruns if returned value is used for further operations - Data corruption masked as success **Fix:** Check return value before adding to unsigned variable: ```c SQLLEN hexlen = pg_bin2hex(in, out + o, len); if (hexlen < 0) return hexlen; // Propagate error o += hexlen; ``` **Affected Code Path:** PostgreSQL 9.0+ binary data conversion with hex format (`FLGB_HEX_BIN_FORMAT` flag set). *Report refined using AI