- Notifications
You must be signed in to change notification settings - Fork4.9k
Commit8036097
committed
Avoid possibly accessing off the end of memory in examine_attribute().
Since the last couple of columns of pg_type are often NULL,sizeof(FormData_pg_type) can be an overestimate of the actual size of thetuple data part. Therefore memcpy'ing that much out of the catalog cache,as analyze.c was doing, poses a small risk of copying past the end ofmemory and incurring SIGSEGV. No such crash has been identified in thefield, but we've certainly seen the equivalent happen in other code paths,so patch this one all the way back.Per valgrind testing by Noah Misch, though this is not his proposed patch.I chose to use SearchSysCacheCopy1 rather than inventing special-purposeinfrastructure for copying only the minimal part of a pg_type tuple.1 parent1426abb commit8036097
1 file changed
+5
-7
lines changedLines changed: 5 additions & 7 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
655 | 655 | | |
656 | 656 | | |
657 | 657 | | |
658 | | - | |
659 | | - | |
660 | | - | |
| 658 | + | |
| 659 | + | |
| 660 | + | |
661 | 661 | | |
662 | 662 | | |
663 | | - | |
664 | | - | |
665 | | - | |
| 663 | + | |
666 | 664 | | |
667 | 665 | | |
668 | 666 | | |
| |||
678 | 676 | | |
679 | 677 | | |
680 | 678 | | |
681 | | - | |
| 679 | + | |
682 | 680 | | |
683 | 681 | | |
684 | 682 | | |
| |||
0 commit comments
Comments
(0)