Bug#264453: [Pkg-firebird-general] Bug#264453: Very likely not exploitable

[Florian Weimer]

* Damyan Ivanov:

> So I decided to check whether fb_lock_mgr actually uses this source. It seems
> to be linked with jrd statically. (From what I see in the makefile spaghetti)

This is only a problem if it also invokes setlocale, to activate the
localized message files.

> So, what is the code, that is considered unsafe?

I believe it's now in line 959.

| case gds_arg_unix:
|         if (code > 0 && code < sys_nerr && (p = (TEXT*)sys_errlist[code]))
|                 strcpy(s, p);
|         else if (code == 60)
|                 strcpy(s, "connection timed out");
|         else if (code == 61)
|                 strcpy(s, "connection refused");
|         else
|                 sprintf(s, "unknown unix error %ld", code);     /* TXNN */
|         break;

Just horrible. 8-(

You could check that strlen(ss_errlist[code]) is less than 64 at this
point or something like that.  One (very indirect) caller I found
allocates a buffer of 1024 bytes.

But look at the code above:

| case gds_arg_interpreted:
|         p = s;
|         q = (TEXT *) (*vector)[1];
|         while ((*p++ = *q++) /*!= NULL*/);
|         break;

This is even more suspicious.