Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit0ff9718

Browse files
committed
Fix inadequately-sized output buffer in contrib/unaccent.
The output buffer size in unaccent_lexize() was calculated as input stringlength times pg_database_encoding_max_length(), which effectively assumesthat replacement strings aren't more than one character. While that wasall that we previously documented it to support, the code actually hasalways allowed replacement strings of arbitrary length; so if you triedto make use of longer strings, you were at risk of buffer overrun. To fix,use an expansible StringInfo buffer instead of trying to determine themaximum space needed a-priori.This would be a security issue if unaccent rules files could be installedby unprivileged users; but fortunately they can't, so in the back branchesthe problem can be labeled as improper configuration by a superuser.Nonetheless, a memory stomp isn't a nice way of reacting to improperconfiguration, so let's back-patch the fix.
1 parent555d0b2 commit0ff9718

File tree

1 file changed

+27
-24
lines changed

1 file changed

+27
-24
lines changed

‎contrib/unaccent/unaccent.c

Lines changed: 27 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
#include"fmgr.h"
1717
#include"catalog/namespace.h"
1818
#include"commands/defrem.h"
19+
#include"lib/stringinfo.h"
1920
#include"mb/pg_wchar.h"
2021
#include"tsearch/ts_cache.h"
2122
#include"tsearch/ts_locale.h"
@@ -267,46 +268,48 @@ unaccent_lexize(PG_FUNCTION_ARGS)
267268
SuffixChar*rootSuffixTree= (SuffixChar*)PG_GETARG_POINTER(0);
268269
char*srcchar= (char*)PG_GETARG_POINTER(1);
269270
int32len=PG_GETARG_INT32(2);
270-
char*srcstart,
271-
*trgchar=NULL;
272-
intcharlen;
273-
TSLexeme*res=NULL;
274-
SuffixChar*node;
271+
char*srcstart=srcchar;
272+
TSLexeme*res;
273+
StringInfoDatabuf;
274+
275+
/* we allocate storage for the buffer only if needed */
276+
buf.data=NULL;
275277

276-
srcstart=srcchar;
277278
while (srcchar-srcstart<len)
278279
{
280+
SuffixChar*node;
281+
intcharlen;
282+
279283
charlen=pg_mblen(srcchar);
280284

281285
node=findReplaceTo(rootSuffixTree, (unsignedchar*)srcchar,charlen);
282286
if (node&&node->replaceTo)
283287
{
284-
if (!res)
288+
if (buf.data==NULL)
285289
{
286-
/* allocate res only it it's needed */
287-
res=palloc0(sizeof(TSLexeme)*2);
288-
res->lexeme=trgchar=palloc(len*pg_database_encoding_max_length()+1/* \0 */ );
289-
res->flags=TSL_FILTER;
290+
/* initialize buffer */
291+
initStringInfo(&buf);
292+
/* insert any data we already skipped over */
290293
if (srcchar!=srcstart)
291-
{
292-
memcpy(trgchar,srcstart,srcchar-srcstart);
293-
trgchar+= (srcchar-srcstart);
294-
}
294+
appendBinaryStringInfo(&buf,srcstart,srcchar-srcstart);
295295
}
296-
memcpy(trgchar,node->replaceTo,node->replacelen);
297-
trgchar+=node->replacelen;
298-
}
299-
elseif (res)
300-
{
301-
memcpy(trgchar,srcchar,charlen);
302-
trgchar+=charlen;
296+
appendBinaryStringInfo(&buf,node->replaceTo,node->replacelen);
303297
}
298+
elseif (buf.data!=NULL)
299+
appendBinaryStringInfo(&buf,srcchar,charlen);
304300

305301
srcchar+=charlen;
306302
}
307303

308-
if (res)
309-
*trgchar='\0';
304+
/* return a result only if we made at least one substitution */
305+
if (buf.data!=NULL)
306+
{
307+
res= (TSLexeme*)palloc0(sizeof(TSLexeme)*2);
308+
res->lexeme=buf.data;
309+
res->flags=TSL_FILTER;
310+
}
311+
else
312+
res=NULL;
310313

311314
PG_RETURN_POINTER(res);
312315
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp