Security: Potential integer overflow in bindcol_localize_exec()

[kkevin-cloud]

Security Issue

A potential integer overflow vulnerability has been identified in the bindcol_localize_exec() function in win_unicode.c.

Problem Description

The function bindcol_localize_exec() takes a size_t n parameter and passes it to wstrtomsg() which expects an int parameter. This implicit conversion from size_t (unsigned) to int (signed) can cause integer overflow when n > INT_MAX.

Location

File: win_unicode.c
Function: bindcol_localize_exec()
Line: l = wstrtomsg(wcsalc, ldt, n);

Impact

• Buffer size miscalculation due to integer overflow
• Potential buffer overflow
• Possible security vulnerability (CWE-190: Integer Overflow or Wraparound)

Suggested Fix

Add a size check before the conversion:

SQLLEN bindcol_localize_exec(char *ldt, size_t n, BOOL lf_conv, char **wcsbuf)
{
    SQLLEN l = (-2);
    
    if (n > INT_MAX) {
        // Handle error case
        return -1;
    }
    
    if (use_wcs)
    {
        wchar_t *wcsalc = (wchar_t *) *wcsbuf;
        l = wstrtomsg(wcsalc, ldt, (int)n);
    }
    // ...
}

[davecramer]

closed via PR #121