Fix potential access-off-the-end-of-memory in varbit_out(): it fetched the

byte after the last full byte of the bit array, regardless of whether that
byte was part of the valid data or not.  Found by buildfarm testing.
Thanks to Stefan Kaltenbrunner for nailing down the cause.

diff --git a/src/backend/utils/adt/varbit.c b/src/backend/utils/adt/varbit.c
index d1a959e2e8cf9d8cf61c9d88d5eef6f06219d3a6..d5c03dadcc9b8bc7ad1b2b753f1064b7ca4559cd 100644 (file)
--- a/src/backend/utils/adt/varbit.c
+++ b/src/backend/utils/adt/varbit.c
@@ -468,8 +468,9 @@ varbit_out(PG_FUNCTION_ARGS)
        result = (char *) palloc(len + 1);
        sp = VARBITS(s);
        r = result;
-       for (i = 0; i < len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++)
+       for (i = 0; i <= len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++)
        {
+               /* print full bytes */
                x = *sp;
                for (k = 0; k < BITS_PER_BYTE; k++)
                {
@@ -477,11 +478,15 @@ varbit_out(PG_FUNCTION_ARGS)
                        x <<= 1;
                }
        }
-       x = *sp;
-       for (k = i; k < len; k++)
+       if (i < len)
        {
-               *r++ = IS_HIGHBIT_SET(x) ? '1' : '0';
-               x <<= 1;
+               /* print the last partial byte */
+               x = *sp;
+               for (k = i; k < len; k++)
+               {
+                       *r++ = IS_HIGHBIT_SET(x) ? '1' : '0';
+                       x <<= 1;
+               }
        }
        *r = '\0';