tdf#144230: sanitize string length embedded in SQL_VARYING data

It is unclear why the length may be wrong; but at least be safe to
avoid buffer overruns.

Wrt the validity of sqllen here: see SQLDAMetadata::scatterData in
firebird's src/yvalve/why.cpp.

Change-Id: Icc24c1cc0db66c20732188ab0621cde53c1ba5c2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/121458
Tested-by: Jenkins
Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>

1 files changed, 3 insertions, 2 deletions

diff --git a/connectivity/source/drivers/firebird/ResultSet.cxx b/connectivity/source/drivers/firebird/ResultSet.cxx
index 0e0361a7bbd8..17e87cf8a55d 100644
--- a/connectivity/source/drivers/firebird/ResultSet.cxx
+++ b/connectivity/source/drivers/firebird/ResultSet.cxx
@@ -579,10 +579,11 @@ OUString OResultSet::retrieveValue(const sal_Int32 nColumnIndex, const ISC_SHORT
     else if (aSqlType == SQL_VARYING)
     {
         // First 2 bytes are a short containing the length of the string
-        // No idea if sqllen is still valid here?
+        // Under unclear conditions, it may be wrong and greater than sqllen.
         sal_uInt16 aLength = *reinterpret_cast<sal_uInt16*>(m_pSqlda->sqlvar[nColumnIndex-1].sqldata);
+        // Use greater signed type sal_Int32 to get the minimum of two 16-bit values
         return OUString(m_pSqlda->sqlvar[nColumnIndex-1].sqldata + 2,
-                        aLength,
+                        std::min<sal_Int32>(aLength, m_pSqlda->sqlvar[nColumnIndex-1].sqllen),
                         RTL_TEXTENCODING_UTF8);
     }
     else if ((aSqlType == SQL_SHORT || aSqlType == SQL_LONG ||