Bug#1052327: libdbd-odbc-perl: Test failure in t/rt_57957.t

Paul Wise pabs at debian.org
Tue Oct 10 05:48:42 BST 2023 

Control: reassign -1 libsqliteodbc 0.9999-1
Control: retitle -1 libsqliteodbc: regression: crashes (SIGSEGV) with line comments
Control: affects -1 + libdbd-odbc-perl
Control: tags -1 + patch
Control: forwarded -1 Christian Werner <chw at ch-werner.de>

On Wed, 20 Sep 2023 17:00:50 +0200 gregor herrmann wrote:

> As noticed by ci.debian.org, t/rt_57957.t started to fail at some
> point between 2023-09-02 and 2023-09-18.

The two tests that fail are the line comment ones:

   4 - Prepare with line comment named placeholder
   6 - Prepare with line comment and ? placeholder

They both fail by causing a SIGSEGV in Perl itself.

Executing the same SQL within sqlite3 does not cause a SIGSEGV:

   $ sqlite3 
   SQLite version 3.43.1 2023-09-11 12:01:27
   Enter ".help" for usage hints.
   Connected to a transient in-memory database.
   Use ".open FILENAME" to reopen on a persistent database.
   sqlite> select -- placeholder ? in a comment
   1;
   1

When I modify the SQL a bit so that gdb can actually load the core dump
from inside pbuilder, I get a backtrace inside sqliteodbc.

When I downgrade libsqliteodbc from 0.9999-1 to 0.9998-3+b1 then the
crash no longer happens, so this is a bug in sqliteodbc.

When I modify the pyodbc tests to include a test with a line comment,
then I get a Python crash and the crash is fixed with 0.9998-3+b1.

Looking at the diff from 0.9998-3 to 0.9999-1, I see that this version
added support for line comments by adding this case to the code:

	case '-':
	    *p++ = *q;
	    if (!inq && q[1] == '-') {
		++q;
		while (*q) {
		    *p++ = *q;
		    if (*q == '\n') {
			break;
		    }
		}
	    }
	    break;

So this is crashing because the q pointer isn't getting incremented so
it never reaches the \n character nor the end of the SQL string, but
the p pointer is getting incremented within the infinite loop, so it
gets incremented past the end of its allocated memory.

The fix is to increment both pointers at once.

		    *p++ = *q++;

This fixes the libdbd-odbc-perl test failures too.

I have sent the attached patch to upstream.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-crash-with-line-comments-in-SQL-fixup.patch
Type: text/x-patch
Size: 1517 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20231010/19e54420/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20231010/19e54420/attachment.sig>

More information about the pkg-perl-maintainers mailing list