ESE is an embedded / ISAM-based database engine, that provides rudimentary table and indexed access. However the library provides many other strongly layered and and thus reusable sub-facilities as well: A Synchronization / Locking library, a Data-structures / STL-like library, an OS-abstraction layer, and a Cache Manager, as well the full blown database engine itself
MIT License
819
stars
62
forks
source link
Fix an out-of-bounds write in CResource::ErrGetParam() #17
This method unconditionally sets *pdwParam to 0, where pdwParam is a DWORD_PTR.
On x64, this translates into a 8-byte write to the memory location pointed by pdwParam.
However, for the JET_resoperTag param, the pdwParam is allowed to point
to a buffer of a lesser size, because the tag's length (JET_resTagSize) is 4 bytes.
Current implementation of the
CResource::ErrGetParam()
method may result in an out of bounds write under certain circumstances.This method unconditionally sets
*pdwParam
to 0, wherepdwParam
is aDWORD_PTR
. On x64, this translates into a 8-byte write to the memory location pointed bypdwParam
. However, for theJET_resoperTag
param, the pdwParam is allowed to point to a buffer of a lesser size, because the tag's length (JET_resTagSize
) is 4 bytes.For example,
CResource::PvAlloc_()
passes a buffer of sizeJET_resTagSize + 1
(= 5). So the remaining part of the 8-byte write happens into a memory location after the allocated buffer.This particular out-of-bounds write has been confirmed to not have any actual security implications, so I am posting this as a public PR.
The attached patch fixes the problem by adding the same check as in the
CResourceManager::ErrGetParam()
method.Microsoft Reviewers: Open in CodeFlow