Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit444ec16

Browse files
committed
Defend against stack overrun in a few more places.
SplitToVariants() in the ispell code, lseg_inside_poly() in geo_ops.c,and regex_selectivity_sub() in selectivity estimation could recurseuntil stack overflow; fix by adding check_stack_depth() calls.So could next() in the regex compiler, but that case is better fixed byconverting its tail recursion to a loop. (We probably get better codethat way too, since next() can now be inlined into its sole caller.)There remains a reachable stack overrun in the Turkish stemmer, butwe'll need some advice from the Snowball people about how to fix that.Per report from Egor Chindyaskin and Alexander Lakhin. These mistakesare old, so back-patch to all supported branches.Richard Guo and Tom LaneDiscussion:https://postgr.es/m/1661334672.728714027@f473.i.mail.ru
1 parent04f1013 commit444ec16

File tree

4 files changed

+14
-2
lines changed

4 files changed

+14
-2
lines changed

‎src/backend/regex/regc_lex.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -201,6 +201,8 @@ next(struct vars *v)
201201
{
202202
chrc;
203203

204+
next_restart:/* loop here after eating a comment */
205+
204206
/* errors yield an infinite sequence of failures */
205207
if (ISERR())
206208
return0;/* the error has set nexttype to EOS */
@@ -493,8 +495,7 @@ next(struct vars *v)
493495
if (!ATEOS())
494496
v->now++;
495497
assert(v->nexttype==v->lasttype);
496-
returnnext(v);
497-
break;
498+
gotonext_restart;
498499
caseCHR('='):/* positive lookahead */
499500
NOTE(REG_ULOOKAROUND);
500501
RETV(LACON,LATYPE_AHEAD_POS);

‎src/backend/tsearch/spell.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,7 @@
6363
#include"postgres.h"
6464

6565
#include"catalog/pg_collation.h"
66+
#include"miscadmin.h"
6667
#include"tsearch/dicts/spell.h"
6768
#include"tsearch/ts_locale.h"
6869
#include"utils/memutils.h"
@@ -2399,6 +2400,9 @@ SplitToVariants(IspellDict *Conf, SPNode *snode, SplitVar *orig, char *word, int
23992400
char*notprobed;
24002401
intcompoundflag=0;
24012402

2403+
/* since this function recurses, it could be driven to stack overflow */
2404+
check_stack_depth();
2405+
24022406
notprobed= (char*)palloc(wordlen);
24032407
memset(notprobed,1,wordlen);
24042408
var=CopyVar(orig,1);

‎src/backend/utils/adt/geo_ops.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3919,6 +3919,9 @@ lseg_inside_poly(Point *a, Point *b, POLYGON *poly, int start)
39193919
boolres= true,
39203920
intersection= false;
39213921

3922+
/* since this function recurses, it could be driven to stack overflow */
3923+
check_stack_depth();
3924+
39223925
t.p[0]=*a;
39233926
t.p[1]=*b;
39243927
s.p[0]=poly->p[(start==0) ? (poly->npts-1) : (start-1)];

‎src/backend/utils/adt/like_support.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@
4444
#include"catalog/pg_statistic.h"
4545
#include"catalog/pg_type.h"
4646
#include"mb/pg_wchar.h"
47+
#include"miscadmin.h"
4748
#include"nodes/makefuncs.h"
4849
#include"nodes/nodeFuncs.h"
4950
#include"nodes/supportnodes.h"
@@ -1338,6 +1339,9 @@ regex_selectivity_sub(const char *patt, int pattlen, bool case_insensitive)
13381339
intparen_pos=0;/* dummy init to keep compiler quiet */
13391340
intpos;
13401341

1342+
/* since this function recurses, it could be driven to stack overflow */
1343+
check_stack_depth();
1344+
13411345
for (pos=0;pos<pattlen;pos++)
13421346
{
13431347
if (patt[pos]=='(')

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp