Ensure that the array position passed to var.getvalue() does not exceed the

number of elements allocated in the array!

Author: anthony-tuininga

src/Variable.c

@@ -699,6 +699,14 @@ static PyObject *Variable_GetSingleValue(udt_Variable *var, uint32_t arrayPos)
     PyObject *value, *result;
     dpiData *data;
 
+    // ensure we do not exceed the number of allocated elements
+    if (arrayPos >= var->allocatedElements) {
+        PyErr_SetString(PyExc_IndexError,
+                "Variable_GetSingleValue: array size exceeded");
+        return NULL;
+    }
+
+    // return the value
     data = &var->data[arrayPos];
     if (data->isNull)
         Py_RETURN_NONE;

test/StringVar.py

@@ -49,6 +49,11 @@ def testBindDifferentVar(self):
                 retval = retval_2)
         self.assertEqual(retval_2.getvalue(), "Called")
 
+    def testExceedsNumElements(self):
+        "test exceeding the number of elements returns IndexError"
+        var = self.cursor.var(str)
+        self.assertRaises(IndexError, var.getvalue, 1)
+
     def testBindStringAfterNumber(self):
         "test binding in a string after setting input sizes to a number"
         self.cursor.setinputsizes(value = cx_Oracle.NUMBER)