firebird icon indicating copy to clipboard operation
firebird copied to clipboard
verified publisher icon FirebirdSQL

[UDF, AV] Server incorrectly calculates a memory size for scalar_array_desc

Open dmitry-lipetsk opened this issue 2 years ago • 0 comments

Hello,

sizeof(scalar_array_desc) == 32

Note - it is a size of an array descriptor with one dimension.

When I call the UDF

DECLARE EXTERNAL FUNCTION IBP_UDF__ADIM__I4
 INTEGER BY SCALAR_ARRAY
RETURNS INTEGER BY VALUE
ENTRY_POINT 'fn_get_arr_dim__i4__sa'
MODULE_NAME 'lcpi.ibp.test.udf.01.dll'

I see the following situation in this code:

https://github.com/FirebirdSQL/firebird/blob/6340df17fa22dc8a641f4a1673e515c5e0242eca/src/jrd/fun.epp#L377-L380

image

Server allocates 16+8 bytes here.

And it uses this memory below: https://github.com/FirebirdSQL/firebird/blob/6340df17fa22dc8a641f4a1673e515c5e0242eca/src/jrd/fun.epp#L479-L483

There are two mistakes

  1. function->fun_temp_length is calculated incorrectly
  2. It won't work with multidimensional arrays - get_scalar_array must allocate scalar_array_desc.

Server crashes in MemPool::releaseMemory

image

dmitry-lipetsk avatar Nov 29 '23 18:11 dmitry-lipetsk