Skip to content

[UDF, AV] Server incorrectly calculates a memory size for scalar_array_desc #7892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dmitry-lipetsk opened this issue Nov 29, 2023 · 0 comments
Open

[UDF, AV] Server incorrectly calculates a memory size for scalar_array_desc #7892

dmitry-lipetsk opened this issue Nov 29, 2023 · 0 comments

Comments

@dmitry-lipetsk
Copy link
Contributor

Hello,

sizeof(scalar_array_desc) == 32

Note - it is a size of an array descriptor with one dimension.

When I call the UDF

DECLARE EXTERNAL FUNCTION IBP_UDF__ADIM__I4
 INTEGER BY SCALAR_ARRAY
RETURNS INTEGER BY VALUE
ENTRY_POINT 'fn_get_arr_dim__i4__sa'
MODULE_NAME 'lcpi.ibp.test.udf.01.dll'

I see the following situation in this code:

firebird/src/jrd/fun.epp

Lines 377 to 380 in 6340df1

// Start by constructing argument list
UCHAR* temp_ptr = temp.getBuffer(function->fun_temp_length + FB_DOUBLE_ALIGN);
MOVE_CLEAR(temp_ptr, temp.getCount());
temp_ptr = FB_ALIGN(temp_ptr, FB_DOUBLE_ALIGN);

image

Server allocates 16+8 bytes here.

And it uses this memory below:

firebird/src/jrd/fun.epp

Lines 479 to 483 in 6340df1

else if (parameter->prm_fun_mechanism == FUN_scalar_array)
{
length = get_scalar_array(tdbb, parameter, input, (scalar_array_desc*) temp_ptr,
array_stack);
}

There are two mistakes

  1. function->fun_temp_length is calculated incorrectly
  2. It won't work with multidimensional arrays - get_scalar_array must allocate scalar_array_desc.

Server crashes in MemPool::releaseMemory

image
@dmitry-lipetsk dmitry-lipetsk changed the title [UDF, AV] Server incorrect calculates a memory size for scalar_array_desc [UDF, AV] Server incorrectly calculates a memory size for scalar_array_desc Nov 29, 2023
dmitry-lipetsk added a commit to dmitry-lipetsk/firebird that referenced this issue Nov 29, 2023
@dmitry-lipetsk
Correct construction of scalar_array_desc structure
0041555 
It is a fix for issue FirebirdSQL#7892.

Additional verifications of array dimension were added.

Work with memory was improved.
dmitry-lipetsk added a commit to dmitry-lipetsk/firebird that referenced this issue Nov 30, 2023
@dmitry-lipetsk
Calculation of function->fun_temp_length takes into account FUN_scala…
40436bc 
…r_array

It is the second part of fix for issue FirebirdSQL#7892
@dmitry-lipetsk dmitry-lipetsk mentioned this issue Nov 30, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dmitry-lipetsk