Re: [mdb-dev] Segfault on long memo fields

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

OK, the problem seems to be if the memo field is longer than  
MDB_BIND_SIZE bytes in length (defined in mdbtools.h and currently  
16384), then the mdb_memo_to_string function in data.c fails.  
Specifically the function mdb_unicode2ascii in iconv.c does a copy  
from the source buffer to the dest buffer using the source length  
instead of the minimum of the source length & the dest buffer length  
(in case the destination buffer is too small).

I've attached a patch for data.c that should fix the problem. It  
increases the size of the "text" buffer if the memo is larger than  
MDB_BIND_SIZE bytes. I was wondering why the function always seems to  
allocate MDB_BIND_SIZE bytes though? It seems as though a little  
later in the function we actually read the size of the memo field,  
and we can then just allocate the right number of bytes directly.  
(Although I guess there is potentially a bit mask encoded in the  
length, which you'd need to mask out in order to get the actual length).

The fix to mdb_memo_to_string in iconv.c seems to be worth doing  
purely in terms of stopping buffer overflow issues, but it might be  
easier if the function is refactored a bit. Basically code like the  
following only addresses the problem in one place in the function,  
whereas it also exists in the else block of code following this, and  
I haven't checked the block of code dealing with compressed Unicode  
strings, or the #ifdef HAVE_ICONV block:

(Basically we strncpy the minimum of len_in and dlen):

--- iconv.c     7 Sep 2005 23:27:43 -0000       1.15
+++ iconv.c     24 Jul 2008 14:04:24 -0000
@@ -82,8 +82,11 @@
         dlen -= len_out;
  #else
         if (IS_JET3(mdb)) {
-               strncpy(out_ptr, in_ptr, len_in);
-               dlen = len_in;
+               size_t copy_len = len_in;
+               if (copy_len > dlen)
+                       copy_len = dlen;
+               strncpy(out_ptr, in_ptr, copy_len);
+               dlen = copy_len;
         } else {
                 /* rough UCS-2LE to ISO-8859-1 conversion */
                 unsigned int i;

Regards, Brett




On 23 Jul 2008, at 01:25, Nigel Kendrick wrote:

> I have one table where the user has pasted some notes from another
> application into a 'comments' field of type 'memo' and mdb-export  
> segfaults
> when it gets to these notes - they are quite long and contain tabs.
>
> I am not sure whether it's the length of the data or that it includes
> non-ascii characters, but I just wondered if anyone had any ideas  
> tracking
> down the problem - I have had a look at the source code for mdb- 
> export but I
> don't know C very well so I'm not getting very far. I get the  
> feeling it's a
> buffer overflow or character (tab?) handling issue somewhere?
>
> Any thoughts on where to look?
>
> Thanks
>
>
> ---------------------------------------------------------------------- 
> ---
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> mdbtools-dev mailing list
> mdb...@li...
> https://lists.sourceforge.net/lists/listinfo/mdbtools-dev

--
Brett Hutley [Head of Product Development, Stimuli Limited]
[b] mailto:br...@st...  http://www.stimuli.org/
[h] mailto:br...@hu...   http://hutley.net/brett/



