Menu
▾
▴
Re: [mdb-dev] Segmentation fault
|
From: Brett H. <br...@hu...> - 2004-06-08 05:57:00
|
Jeff Smith wrote:
> I can see where things start going downhill, but more information would
> be helpful.
> 1. are you using mdbtools v0.5, or mdbtools from CVS?
> 2. what platform are you using (e.g. Linux on x86)
> 3. how was the mdb created (if Access, which version)?
>
> Here is what I can tell you at this point:
>
>>lseek(3, 4096, SEEK_SET) = 4096
>
> mdbtools has decided this is a JET3 database
>
>>read(3, "\201\310\244w\261*\307\6:\254/\3001@a\210)t\250\201\244"..., 2048) = 2048
*snip*
I just added two lines of code to data.c line 686 to stop a buffer
overflow. The actual lines are the check for len:
-- 8< -- snip -- 8< --
if (len >= MDB_PGSIZE - row_start)
len = MDB_PGSIZE - row_start - 1;
-- >8 -- snip -- >8 --
full context is as follows:
len = row_stop - row_start;
if (len >= MDB_PGSIZE - row_start)
len = MDB_PGSIZE - row_start - 1;
if (IS_JET3(mdb)) {
strncpy(text, &mdb->pg_buf[row_start], len);
text[len]='\0';
} else {
if (mdb->pg_buf[row_start]==0xff &&
mdb->pg_buf[row_start+1]==0xfe) {
strncpy(text, &mdb->pg_buf[row_start+2], len-2);
text[len-2]='\0';
} else {
/* convert unicode to ascii, rather sloppily */
for (i=0;i<len;i+=2)
text[i/2] = mdb->pg_buf[row_start + i];
text[len/2]='\0';
}
}
I'm not sure whether this is right or not - I just downloaded and built
mdbtools-0.5 today, and found got a segfault when trying to export a
database. With this patch, it no longer segfaults, but I haven't
validated that the data exported is actually correct. I also haven't
tried the release that's in cvs (yet).
Cheers, Brett
--
Brett Hutley [MAppFin,CISSP,SANS GCIH]
mailto:br...@hu...
http://hutley.net/brett
|
