NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit1a9356f

committed

Avoid fetching one past the end of translate()'s "to" parameter.

This is usually harmless, but if you were very unlucky it couldprovoke a segfault due to the "to" string being right up againstthe end of memory. Found via valgrind testing (so we might'vefound it earlier, except that our regression tests lacked anyexercise of translate()'s deletion feature).Fix by switching the order of the test-for-end-of-string andadvance-pointer steps. While here, compute "to_ptr + tolen"just once. (Smarter compilers might figure that out forthemselves, but let's just make sure.)Report and fix by Daniil Anisimov, in bug #17816.Discussion:https://postgr.es/m/17816-70f3d2764e88a108@postgresql.org

1 parentba019b4 commit1a9356fCopy full SHA for 1a9356f

File tree

3 files changed

+14

-5

lines changed

src
- backend/utils/adt
  - oracle_compat.c
- test/regress
  - expected
    - strings.out
  - sql
    - strings.sql

3 files changed

+14

-5

lines changed

`‎src/backend/utils/adt/oracle_compat.c‎`

Lines changed: 7 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -797,7 +797,8 @@ translate(PG_FUNCTION_ARGS)`
`797`	`797`	`text*to=PG_GETARG_TEXT_PP(2);`
`798`	`798`	`text*result;`
`799`	`799`	`char*from_ptr,`
`800`		`-*to_ptr;`
	`800`	`+*to_ptr,`
	`801`	`+*to_end;`
`801`	`802`	`char*source,`
`802`	`803`	`*target;`
`803`	`804`	`intm,`
`@@ -819,6 +820,7 @@ translate(PG_FUNCTION_ARGS)`
`819`	`820`	`from_ptr=VARDATA_ANY(from);`
`820`	`821`	`tolen=VARSIZE_ANY_EXHDR(to);`
`821`	`822`	`to_ptr=VARDATA_ANY(to);`
	`823`	`+to_end=to_ptr+tolen;`
`822`	`824`
`823`	`825`	`/*`
`824`	`826`	`* The worst-case expansion is to substitute a max-length character for a`
`@@ -852,16 +854,16 @@ translate(PG_FUNCTION_ARGS)`
`852`	`854`	`}`
`853`	`855`	`if (i<fromlen)`
`854`	`856`	`{`
`855`		`-/* substitute */`
	`857`	`+/* substitute, or delete if no corresponding "to" character */`
`856`	`858`	`char*p=to_ptr;`
`857`	`859`
`858`	`860`	`for (i=0;i<from_index;i++)`
`859`	`861`	`{`
`860`		`-p+=pg_mblen(p);`
`861`		`-if (p >= (to_ptr+tolen))`
	`862`	`+if (p >=to_end)`
`862`	`863`	`break;`
	`864`	`+p+=pg_mblen(p);`
`863`	`865`	`}`
`864`		`-if (p<(to_ptr+tolen))`
	`866`	`+if (p<to_end)`
`865`	`867`	`{`
`866`	`868`	`len=pg_mblen(p);`
`867`	`869`	`memcpy(target,p,len);`

`‎src/test/regress/expected/strings.out‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2116,6 +2116,12 @@ SELECT translate('12345', '14', 'ax');`
`2116`	`2116`	`a23x5`
`2117`	`2117`	`(1 row)`
`2118`	`2118`
	`2119`	`+SELECT translate('12345', '134', 'a');`
	`2120`	`+ translate`
	`2121`	`+-----------`
	`2122`	`+ a25`
	`2123`	`+(1 row)`
	`2124`	`+`
`2119`	`2125`	`SELECT ascii('x');`
`2120`	`2126`	`ascii`
`2121`	`2127`	`-------`

`‎src/test/regress/sql/strings.sql‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -719,6 +719,7 @@ SELECT ltrim('zzzytrim', 'xyz');`
`719`	`719`
`720`	`720`	`SELECTtranslate('','14','ax');`
`721`	`721`	`SELECTtranslate('12345','14','ax');`
	`722`	`+SELECTtranslate('12345','134','a');`
`722`	`723`
`723`	`724`	`SELECT ascii('x');`
`724`	`725`	`SELECT ascii('');`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit1a9356f

File tree

3 files changed

3 files changed

`‎src/backend/utils/adt/oracle_compat.c‎`

`‎src/test/regress/expected/strings.out‎`

`‎src/test/regress/sql/strings.sql‎`

0 commit comments