|
| From: | Peter Notebaert |
| Subject: | [Bug-glpk] bug in glpk 4.44 in glpsql.c |
| Date: | Thu, 15 Jul 2010 00:16:58 +0200 |
|
Hello,
I found a memory overrun error in glpsql.c in glpk
version 4.44
In routine
static char **args_concat(TABDCA *dca)
There is:
j0 =
3;
i = 0; lentot = 0; for (j = 3; j <= narg; j++) { arg = mpl_tab_get_arg(dca, j); len = strlen(arg); lentot += len; if (arg[len-1] == ';' || j == narg) { /* Join arguments for a single SQL statement */ sqllines[i] = xmalloc(lentot+1); sqllines[i+1] = NULL; sqllines[i][0] = 0x00; for (j1 = j0; j1 <= j; j1++) { if(j1>j0) strcat(sqllines[i], " "); strcat(sqllines[i], mpl_tab_get_arg(dca, j1)); } len = strlen(sqllines[i]); if (sqllines[i][len-1] == ';') sqllines[i][len-1] = 0x00; j0 = j+1; i++; lentot = 0; } } The error is a memory overrun of sqllines[i]
because of the statement
if(j1>j0)
strcat(sqllines[i], " "); The problem is that when allocating memory via
sqllines[i] = xmalloc(lentot+1);
that lentot does not consider that
space.
So I think the code must be:
j0 =
3;
i = 0; lentot = 0; for (j = 3; j <= narg; j++) { arg = mpl_tab_get_arg(dca, j); len = strlen(arg); lentot += len; if (j>j0) lentot++; /* added by peno */ if (arg[len-1] == ';' || j == narg) { /* Join arguments for a single SQL statement */ sqllines[i] = xmalloc(lentot+1); sqllines[i+1] = NULL; sqllines[i][0] = 0x00; for (j1 = j0; j1 <= j; j1++) { if(j1>j0) strcat(sqllines[i], " "); strcat(sqllines[i], mpl_tab_get_arg(dca, j1)); } len = strlen(sqllines[i]); if (sqllines[i][len-1] == ';') sqllines[i][len-1] = 0x00; j0 = j+1; i++; lentot = 0; } } note the comment /* added by peno */
Best regards,
Peter Notebaert
|
| [Prev in Thread] | Current Thread | [Next in Thread] |