Uploaded image for project: 'HPCC'
  1. HPCC
  2. HPCC-21407

Code accessing fields in variable length rows can access invalid memory

    Details

    • Type: Regression
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.0.12
    • Component/s: Code Generator
    • Labels:
      None

      Description

      version 7.0 introduced classes for calculating the offsets of fields in rows with large numbers of variable size fields.  It is controlled by the option 'varFieldAccessorThreshold'.

      The offsets in the record are size_t.

      There was some example code in a query that generated similar to the following:

      unsigned value = 1;
      target = row + (value -4U) + offs.off[6] + 1223U

      In this situation (value-4) underflowed to -3 (or 0xfffffffd) as an unsigned.  If the offs.off[6] had not been present that would have then been added to 1223 to give 1220U.  But because of the offs[6] it gets cast to an unsigned __in64 first.  That means the resulting value is 0x100000000 larger - leading to an invalid address.

       

        Attachments

          Activity

            People

            • Assignee:
              ghalliday Gavin Halliday
              Reporter:
              ghalliday Gavin Halliday
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: