Skip to content

Commit 852aed3

Browse files
Ensure that the array position passed to var.getvalue() does not exceed the
number of elements allocated in the array!
1 parent 1eba9d5 commit 852aed3

File tree

2 files changed

+13
-0
lines changed

2 files changed

+13
-0
lines changed

src/Variable.c

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -699,6 +699,14 @@ static PyObject *Variable_GetSingleValue(udt_Variable *var, uint32_t arrayPos)
699699
PyObject *value, *result;
700700
dpiData *data;
701701

702+
// ensure we do not exceed the number of allocated elements
703+
if (arrayPos >= var->allocatedElements) {
704+
PyErr_SetString(PyExc_IndexError,
705+
"Variable_GetSingleValue: array size exceeded");
706+
return NULL;
707+
}
708+
709+
// return the value
702710
data = &var->data[arrayPos];
703711
if (data->isNull)
704712
Py_RETURN_NONE;

test/StringVar.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,11 @@ def testBindDifferentVar(self):
4949
retval = retval_2)
5050
self.assertEqual(retval_2.getvalue(), "Called")
5151

52+
def testExceedsNumElements(self):
53+
"test exceeding the number of elements returns IndexError"
54+
var = self.cursor.var(str)
55+
self.assertRaises(IndexError, var.getvalue, 1)
56+
5257
def testBindStringAfterNumber(self):
5358
"test binding in a string after setting input sizes to a number"
5459
self.cursor.setinputsizes(value = cx_Oracle.NUMBER)

0 commit comments

Comments
 (0)