NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit3b37e84

committed

Avoid fetching one past the end of translate()'s "to" parameter.

This is usually harmless, but if you were very unlucky it couldprovoke a segfault due to the "to" string being right up againstthe end of memory. Found via valgrind testing (so we might'vefound it earlier, except that our regression tests lacked anyexercise of translate()'s deletion feature).Fix by switching the order of the test-for-end-of-string andadvance-pointer steps. While here, compute "to_ptr + tolen"just once. (Smarter compilers might figure that out forthemselves, but let's just make sure.)Report and fix by Daniil Anisimov, in bug #17816.Discussion:https://postgr.es/m/17816-70f3d2764e88a108@postgresql.org

1 parentab5b76c commit3b37e84Copy full SHA for 3b37e84

File tree

3 files changed

+14

-5

lines changed

src
- backend/utils/adt
  - oracle_compat.c
- test/regress
  - expected
    - strings.out
  - sql
    - strings.sql

3 files changed

+14

-5

lines changed

`‎src/backend/utils/adt/oracle_compat.c`

Lines changed: 7 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -723,7 +723,8 @@ translate(PG_FUNCTION_ARGS)`
`723`	`723`	`text*to=PG_GETARG_TEXT_PP(2);`
`724`	`724`	`text*result;`
`725`	`725`	`char*from_ptr,`
`726`		`-*to_ptr;`
	`726`	`+*to_ptr,`
	`727`	`+*to_end;`
`727`	`728`	`char*source,`
`728`	`729`	`*target;`
`729`	`730`	`intm,`
`@@ -745,6 +746,7 @@ translate(PG_FUNCTION_ARGS)`
`745`	`746`	`from_ptr=VARDATA_ANY(from);`
`746`	`747`	`tolen=VARSIZE_ANY_EXHDR(to);`
`747`	`748`	`to_ptr=VARDATA_ANY(to);`
	`749`	`+to_end=to_ptr+tolen;`
`748`	`750`
`749`	`751`	`/*`
`750`	`752`	`* The worst-case expansion is to substitute a max-length character for a`
`@@ -778,16 +780,16 @@ translate(PG_FUNCTION_ARGS)`
`778`	`780`	`}`
`779`	`781`	`if (i<fromlen)`
`780`	`782`	`{`
`781`		`-/* substitute */`
	`783`	`+/* substitute, or delete if no corresponding "to" character */`
`782`	`784`	`char*p=to_ptr;`
`783`	`785`
`784`	`786`	`for (i=0;i<from_index;i++)`
`785`	`787`	`{`
`786`		`-p+=pg_mblen(p);`
`787`		`-if (p >= (to_ptr+tolen))`
	`788`	`+if (p >=to_end)`
`788`	`789`	`break;`
	`790`	`+p+=pg_mblen(p);`
`789`	`791`	`}`
`790`		`-if (p<(to_ptr+tolen))`
	`792`	`+if (p<to_end)`
`791`	`793`	`{`
`792`	`794`	`len=pg_mblen(p);`
`793`	`795`	`memcpy(target,p,len);`

`‎src/test/regress/expected/strings.out`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1988,6 +1988,12 @@ SELECT translate('12345', '14', 'ax');`
`1988`	`1988`	`a23x5`
`1989`	`1989`	`(1 row)`
`1990`	`1990`
	`1991`	`+SELECT translate('12345', '134', 'a');`
	`1992`	`+ translate`
	`1993`	`+-----------`
	`1994`	`+ a25`
	`1995`	`+(1 row)`
	`1996`	`+`
`1991`	`1997`	`SELECT ascii('x');`
`1992`	`1998`	`ascii`
`1993`	`1999`	`-------`

`‎src/test/regress/sql/strings.sql`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -679,6 +679,7 @@ SELECT ltrim('zzzytrim', 'xyz');`
`679`	`679`
`680`	`680`	`SELECTtranslate('','14','ax');`
`681`	`681`	`SELECTtranslate('12345','14','ax');`
	`682`	`+SELECTtranslate('12345','134','a');`
`682`	`683`
`683`	`684`	`SELECT ascii('x');`
`684`	`685`	`SELECT ascii('');`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit3b37e84

File tree

3 files changed

3 files changed

`‎src/backend/utils/adt/oracle_compat.c`

`‎src/test/regress/expected/strings.out`

`‎src/test/regress/sql/strings.sql`

0 commit comments