| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: Avoid fetching one past the end of translate()'s "to" parameter. |
| Date: | 2023-03-01 16:30:42 |
| Message-ID: | [email protected] |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Avoid fetching one past the end of translate()'s "to" parameter.
This is usually harmless, but if you were very unlucky it could
provoke a segfault due to the "to" string being right up against
the end of memory. Found via valgrind testing (so we might've
found it earlier, except that our regression tests lacked any
exercise of translate()'s deletion feature).
Fix by switching the order of the test-for-end-of-string and
advance-pointer steps. While here, compute "to_ptr + tolen"
just once. (Smarter compilers might figure that out for
themselves, but let's just make sure.)
Report and fix by Daniil Anisimov, in bug #17816.
Discussion: https://postgr.es/m/[email protected]
Branch
------
REL_11_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/b1a9d8ef254fab59c35a504490e14b2d9e1bbb92
Modified Files
--------------
src/backend/utils/adt/oracle_compat.c | 12 +++++++-----
src/test/regress/expected/strings.out | 6 ++++++
src/test/regress/sql/strings.sql | 1 +
3 files changed, 14 insertions(+), 5 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2023-03-02 05:04:31 | pgsql: pageinspect: Fix crash with gist_page_items() |
| Previous Message | Tomas Vondra | 2023-03-01 15:13:03 | pgsql: Fix condition in pg_dump TAP test |