Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit5a421a4

Browse files
committed
Fix inadequately-sized output buffer in contrib/unaccent.
The output buffer size in unaccent_lexize() was calculated as input stringlength times pg_database_encoding_max_length(), which effectively assumesthat replacement strings aren't more than one character. While that wasall that we previously documented it to support, the code actually hasalways allowed replacement strings of arbitrary length; so if you triedto make use of longer strings, you were at risk of buffer overrun. To fix,use an expansible StringInfo buffer instead of trying to determine themaximum space needed a-priori.This would be a security issue if unaccent rules files could be installedby unprivileged users; but fortunately they can't, so in the back branchesthe problem can be labeled as improper configuration by a superuser.Nonetheless, a memory stomp isn't a nice way of reacting to improperconfiguration, so let's back-patch the fix.
1 parent9f03ca9 commit5a421a4

File tree

1 file changed

+24
-21
lines changed

1 file changed

+24
-21
lines changed

‎contrib/unaccent/unaccent.c

Lines changed: 24 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515

1616
#include"catalog/namespace.h"
1717
#include"commands/defrem.h"
18+
#include"lib/stringinfo.h"
1819
#include"tsearch/ts_cache.h"
1920
#include"tsearch/ts_locale.h"
2021
#include"tsearch/ts_public.h"
@@ -309,9 +310,12 @@ unaccent_lexize(PG_FUNCTION_ARGS)
309310
TrieChar*rootTrie= (TrieChar*)PG_GETARG_POINTER(0);
310311
char*srcchar= (char*)PG_GETARG_POINTER(1);
311312
int32len=PG_GETARG_INT32(2);
312-
char*srcstart=srcchar,
313-
*trgchar=NULL;
314-
TSLexeme*res=NULL;
313+
char*srcstart=srcchar;
314+
TSLexeme*res;
315+
StringInfoDatabuf;
316+
317+
/* we allocate storage for the buffer only if needed */
318+
buf.data=NULL;
315319

316320
while (len>0)
317321
{
@@ -322,37 +326,36 @@ unaccent_lexize(PG_FUNCTION_ARGS)
322326
&matchlen);
323327
if (node&&node->replaceTo)
324328
{
325-
if (!res)
329+
if (buf.data==NULL)
326330
{
327-
/* allocate res only if it's needed */
328-
res=palloc0(sizeof(TSLexeme)*2);
329-
res->lexeme=trgchar=palloc(len*pg_database_encoding_max_length()+1/* \0 */ );
330-
res->flags=TSL_FILTER;
331+
/* initialize buffer */
332+
initStringInfo(&buf);
333+
/* insert any data we already skipped over */
331334
if (srcchar!=srcstart)
332-
{
333-
memcpy(trgchar,srcstart,srcchar-srcstart);
334-
trgchar+= (srcchar-srcstart);
335-
}
335+
appendBinaryStringInfo(&buf,srcstart,srcchar-srcstart);
336336
}
337-
memcpy(trgchar,node->replaceTo,node->replacelen);
338-
trgchar+=node->replacelen;
337+
appendBinaryStringInfo(&buf,node->replaceTo,node->replacelen);
339338
}
340339
else
341340
{
342341
matchlen=pg_mblen(srcchar);
343-
if (res)
344-
{
345-
memcpy(trgchar,srcchar,matchlen);
346-
trgchar+=matchlen;
347-
}
342+
if (buf.data!=NULL)
343+
appendBinaryStringInfo(&buf,srcchar,matchlen);
348344
}
349345

350346
srcchar+=matchlen;
351347
len-=matchlen;
352348
}
353349

354-
if (res)
355-
*trgchar='\0';
350+
/* return a result only if we made at least one substitution */
351+
if (buf.data!=NULL)
352+
{
353+
res= (TSLexeme*)palloc0(sizeof(TSLexeme)*2);
354+
res->lexeme=buf.data;
355+
res->flags=TSL_FILTER;
356+
}
357+
else
358+
res=NULL;
356359

357360
PG_RETURN_POINTER(res);
358361
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp