Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit3f9132e

Browse files
committed
Be more wary of corrupt data in pageinspect's heap_page_items().
The original intent in heap_page_items() was to return nulls, notthrow an error or crash, if an item was sufficiently corrupt thatwe couldn't safely extract data from it. However, commitd6061f8utterly missed that memo, and not only put in an un-length-checkedcopy of the tuple's data section, but also managed to break the checkon sane nulls-bitmap length. Either mistake could possibly lead toa SIGSEGV crash if the tuple is corrupt.Bug: #18896Reported-by: Dmitry Kovalenko <d.kovalenko@postgrespro.ru>Author: Dmitry Kovalenko <d.kovalenko@postgrespro.ru>Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>Discussion:https://postgr.es/m/18896-add267b8e06663e3@postgresql.orgBackpatch-through: 13
1 parent6a3e578 commit3f9132e

File tree

1 file changed

+27
-18
lines changed

1 file changed

+27
-18
lines changed

‎contrib/pageinspect/heapfuncs.c

Lines changed: 27 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -210,11 +210,8 @@ heap_page_items(PG_FUNCTION_ARGS)
210210
lp_offset+lp_len <=raw_page_size)
211211
{
212212
HeapTupleHeadertuphdr;
213-
bytea*tuple_data_bytea;
214-
inttuple_data_len;
215213

216214
/* Extract information from the tuple header */
217-
218215
tuphdr= (HeapTupleHeader)PageGetItem(page,id);
219216

220217
values[4]=UInt32GetDatum(HeapTupleHeaderGetRawXmin(tuphdr));
@@ -226,31 +223,32 @@ heap_page_items(PG_FUNCTION_ARGS)
226223
values[9]=UInt32GetDatum(tuphdr->t_infomask);
227224
values[10]=UInt8GetDatum(tuphdr->t_hoff);
228225

229-
/* Copy raw tuple data into bytea attribute */
230-
tuple_data_len=lp_len-tuphdr->t_hoff;
231-
tuple_data_bytea= (bytea*)palloc(tuple_data_len+VARHDRSZ);
232-
SET_VARSIZE(tuple_data_bytea,tuple_data_len+VARHDRSZ);
233-
memcpy(VARDATA(tuple_data_bytea), (char*)tuphdr+tuphdr->t_hoff,
234-
tuple_data_len);
235-
values[13]=PointerGetDatum(tuple_data_bytea);
236-
237226
/*
238227
* We already checked that the item is completely within the raw
239228
* page passed to us, with the length given in the line pointer.
240-
*Let's check thatt_hoffdoesn't point over lp_len,beforeusing
241-
* it toaccess t_bits and oid.
229+
*Butt_hoffcould be out of range, so check itbeforerelying on
230+
* it tofetch additional info.
242231
*/
243232
if (tuphdr->t_hoff >=SizeofHeapTupleHeader&&
244233
tuphdr->t_hoff <=lp_len&&
245234
tuphdr->t_hoff==MAXALIGN(tuphdr->t_hoff))
246235
{
236+
inttuple_data_len;
237+
bytea*tuple_data_bytea;
238+
239+
/* Copy null bitmask and OID, if present */
247240
if (tuphdr->t_infomask&HEAP_HASNULL)
248241
{
249-
intbits_len;
250-
251-
bits_len=
252-
BITMAPLEN(HeapTupleHeaderGetNatts(tuphdr))*BITS_PER_BYTE;
253-
values[11]=CStringGetTextDatum(bits_to_text(tuphdr->t_bits,bits_len));
242+
intbitmaplen;
243+
244+
bitmaplen=BITMAPLEN(HeapTupleHeaderGetNatts(tuphdr));
245+
/* better range-check the attribute count, too */
246+
if (bitmaplen <=tuphdr->t_hoff-SizeofHeapTupleHeader)
247+
values[11]=
248+
CStringGetTextDatum(bits_to_text(tuphdr->t_bits,
249+
bitmaplen*BITS_PER_BYTE));
250+
else
251+
nulls[11]= true;
254252
}
255253
else
256254
nulls[11]= true;
@@ -259,11 +257,22 @@ heap_page_items(PG_FUNCTION_ARGS)
259257
values[12]=HeapTupleHeaderGetOidOld(tuphdr);
260258
else
261259
nulls[12]= true;
260+
261+
/* Copy raw tuple data into bytea attribute */
262+
tuple_data_len=lp_len-tuphdr->t_hoff;
263+
tuple_data_bytea= (bytea*)palloc(tuple_data_len+VARHDRSZ);
264+
SET_VARSIZE(tuple_data_bytea,tuple_data_len+VARHDRSZ);
265+
if (tuple_data_len>0)
266+
memcpy(VARDATA(tuple_data_bytea),
267+
(char*)tuphdr+tuphdr->t_hoff,
268+
tuple_data_len);
269+
values[13]=PointerGetDatum(tuple_data_bytea);
262270
}
263271
else
264272
{
265273
nulls[11]= true;
266274
nulls[12]= true;
275+
nulls[13]= true;
267276
}
268277
}
269278
else

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp