mysql_adaptor: fix OOB when reading PT_DOUBLE from user_properties

jengelh · jengelh · commit f2be1f2dd3da · 2025-03-16T14:05:50.000+01:00
==65777==ERROR: AddressSanitizer: stack-buffer-overflow
READ of size 8 at 0x7b5db59df070 thread T27
f0 propval_dup(unsigned short, void const*) lib/mapi/propval.cpp:62
f1 tpropval_array_append lib/mapi/tpropval_array.cpp:29
f2 TPROPVAL_ARRAY::set(unsigned int, void const*) lib/mapi/tpropval_array.cpp:54
f3 gromox::mysql_plugin::get_user_props(char const*, TPROPVAL_ARRAY&amp;)
   exch/mysql_adaptor/sql2.cpp:689
f4 mysql_adaptor_get_user_properties(char const*, TPROPVAL_ARRAY&amp;)
   exch/mysql_adaptor/sql2.cpp:903
f5 gromox::EWS::Requests::process(gromox::EWS::Structures::mResolveNamesRequest&amp;&amp;,
   tinyxml2::XMLElement*, gromox::EWS::EWSContext const&amp;)
   exch/ews/requests.cpp:1376
f6 process&lt;gromox::EWS::Structures::mResolveNamesRequest&gt; exch/ews/ews.cpp:222

Fixes: gromox-2.9-75-ge96ad0a9e
diff --git a/exch/mysql_adaptor/sql2.cpp b/exch/mysql_adaptor/sql2.cpp
@@ -685,7 +685,7 @@ bool mysql_plugin::get_user_props(const char *username,
 		}
 		case PT_DOUBLE:
 		case PT_APPTIME: {
-			float converted = strtof(strval, nullptr);
+			double converted = strtod(strval, nullptr);
 			if (properties.set(tag, &converted) != 0)
 				return false;
 			break;

Original file line number	Diff line number	Diff line change
`@@ -685,7 +685,7 @@ bool mysql_plugin::get_user_props(const char *username,`
`685`	`685`	`}`
`686`	`686`	`case PT_DOUBLE:`
`687`	`687`	`case PT_APPTIME: {`
`688`		`- float converted = strtof(strval, nullptr);`
	`688`	`+ double converted = strtod(strval, nullptr);`
`689`	`689`	`if (properties.set(tag, &converted) != 0)`
`690`	`690`	`return false;`
`691`	`691`	`break;`