NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit5b64368

committed

Fix incautious handling of possibly-miscoded strings in client code.

An incorrectly-encoded multibyte character near the end of a stringcould cause various processing loops to run past the string'sterminating NUL, with results ranging from no detectable issue toa program crash, depending on what happens to be in the followingmemory.This isn't an issue in the server, because we take care to verifythe encoding of strings before doing any interesting processingon them. However, that lack of care leaked into client-side codewhich shouldn't assume that anyone has validated the encoding ofits input.Although this is certainly a bug worth fixing, the PG security teamelected not to regard it as a security issue, primarily becauseany untrusted text should be sanitized by PQescapeLiteral orthe like before being incorporated into a SQL or psql command.(If an app fails to do so, the same technique can be used tocause SQL injection, with probably much more dire consequencesthan a mere client-program crash.) Those functions were alreadymade proof against this class of problem, cfCVE-2006-2313.To fix, invent PQmblenBounded() which is like PQmblen() except itwon't return more than the number of bytes remaining in the string.In HEAD we can make this a new libpq function, as PQmblen() is.It seems imprudent to change libpq's API in stable branches though,so in the back branches define PQmblenBounded as a macro in the filesthat need it. (Note that just changing PQmblen's behavior would notbe a good idea; notably, it would completely break the escapingfunctions' defense against this exact problem. So we just want aversion for those callers that don't have any better way of handlingthis issue.)Per private report from houjingyi. Back-patch to all supported branches.

1 parentb4c027b commit5b64368Copy full SHA for 5b64368

File tree

11 files changed

+57

-25

lines changed

src
- bin
  - psql
  - scripts
    - common.c
- common
  - jsonapi.c
  - wchar.c
- fe_utils
  - print.c
- include/mb
  - pg_wchar.h
- interfaces/libpq
  - fe-print.c
  - fe-protocol3.c

11 files changed

+57

-25

lines changed

`‎src/bin/psql/common.c`

Lines changed: 15 additions & 13 deletions

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,8 @@`
`29`	`29`	`#include"portability/instr_time.h"`
`30`	`30`	`#include"settings.h"`
`31`	`31`
	`32`	`+#definePQmblenBounded(s,e) strnlen(s, PQmblen(s, e))`
	`33`	`+`
`32`	`34`	`staticboolDescribeQuery(constcharquery,doubleelapsed_msec);`
`33`	`35`	`staticboolExecQueryUsingCursor(constcharquery,doubleelapsed_msec);`
`34`	`36`	`staticboolcommand_no_begin(constchar*query);`
`@@ -1842,7 +1844,7 @@ skip_white_space(const char *query)`
`1842`	`1844`
`1843`	`1845`	`while (*query)`
`1844`	`1846`	`{`
`1845`		`-intmblen=PQmblen(query,pset.encoding);`
	`1847`	`+intmblen=PQmblenBounded(query,pset.encoding);`
`1846`	`1848`
`1847`	`1849`	`/*`
`1848`	`1850`	`* Note: we assume the encoding is a superset of ASCII, so that for`
`@@ -1879,7 +1881,7 @@ skip_white_space(const char *query)`
`1879`	`1881`	`query++;`
`1880`	`1882`	`break;`
`1881`	`1883`	`}`
`1882`		`-query+=PQmblen(query,pset.encoding);`
	`1884`	`+query+=PQmblenBounded(query,pset.encoding);`
`1883`	`1885`	`}`
`1884`	`1886`	`}`
`1885`	`1887`	`elseif (cnestlevel>0)`
`@@ -1914,7 +1916,7 @@ command_no_begin(const char *query)`
`1914`	`1916`	`*/`
`1915`	`1917`	`wordlen=0;`
`1916`	`1918`	`while (isalpha((unsignedchar)query[wordlen]))`
`1917`		`-wordlen+=PQmblen(&query[wordlen],pset.encoding);`
	`1919`	`+wordlen+=PQmblenBounded(&query[wordlen],pset.encoding);`
`1918`	`1920`
`1919`	`1921`	`/*`
`1920`	`1922`	`* Transaction control commands. These should include every keyword that`
`@@ -1945,7 +1947,7 @@ command_no_begin(const char *query)`
`1945`	`1947`
`1946`	`1948`	`wordlen=0;`
`1947`	`1949`	`while (isalpha((unsignedchar)query[wordlen]))`
`1948`		`-wordlen+=PQmblen(&query[wordlen],pset.encoding);`
	`1950`	`+wordlen+=PQmblenBounded(&query[wordlen],pset.encoding);`
`1949`	`1951`
`1950`	`1952`	`if (wordlen==11&&pg_strncasecmp(query,"transaction",11)==0)`
`1951`	`1953`	`return true;`
`@@ -1979,7 +1981,7 @@ command_no_begin(const char *query)`
`1979`	`1981`
`1980`	`1982`	`wordlen=0;`
`1981`	`1983`	`while (isalpha((unsignedchar)query[wordlen]))`
`1982`		`-wordlen+=PQmblen(&query[wordlen],pset.encoding);`
	`1984`	`+wordlen+=PQmblenBounded(&query[wordlen],pset.encoding);`
`1983`	`1985`
`1984`	`1986`	`if (wordlen==8&&pg_strncasecmp(query,"database",8)==0)`
`1985`	`1987`	`return true;`
`@@ -1995,7 +1997,7 @@ command_no_begin(const char *query)`
`1995`	`1997`
`1996`	`1998`	`wordlen=0;`
`1997`	`1999`	`while (isalpha((unsignedchar)query[wordlen]))`
`1998`		`-wordlen+=PQmblen(&query[wordlen],pset.encoding);`
	`2000`	`+wordlen+=PQmblenBounded(&query[wordlen],pset.encoding);`
`1999`	`2001`	`}`
`2000`	`2002`
`2001`	`2003`	`if (wordlen==5&&pg_strncasecmp(query,"index",5)==0)`
`@@ -2006,7 +2008,7 @@ command_no_begin(const char *query)`
`2006`	`2008`
`2007`	`2009`	`wordlen=0;`
`2008`	`2010`	`while (isalpha((unsignedchar)query[wordlen]))`
`2009`		`-wordlen+=PQmblen(&query[wordlen],pset.encoding);`
	`2011`	`+wordlen+=PQmblenBounded(&query[wordlen],pset.encoding);`
`2010`	`2012`
`2011`	`2013`	`if (wordlen==12&&pg_strncasecmp(query,"concurrently",12)==0)`
`2012`	`2014`	`return true;`
`@@ -2023,7 +2025,7 @@ command_no_begin(const char *query)`
`2023`	`2025`
`2024`	`2026`	`wordlen=0;`
`2025`	`2027`	`while (isalpha((unsignedchar)query[wordlen]))`
`2026`		`-wordlen+=PQmblen(&query[wordlen],pset.encoding);`
	`2028`	`+wordlen+=PQmblenBounded(&query[wordlen],pset.encoding);`
`2027`	`2029`
`2028`	`2030`	`/* ALTER SYSTEM isn't allowed in xacts */`
`2029`	`2031`	`if (wordlen==6&&pg_strncasecmp(query,"system",6)==0)`
`@@ -2046,7 +2048,7 @@ command_no_begin(const char *query)`
`2046`	`2048`
`2047`	`2049`	`wordlen=0;`
`2048`	`2050`	`while (isalpha((unsignedchar)query[wordlen]))`
`2049`		`-wordlen+=PQmblen(&query[wordlen],pset.encoding);`
	`2051`	`+wordlen+=PQmblenBounded(&query[wordlen],pset.encoding);`
`2050`	`2052`
`2051`	`2053`	`if (wordlen==8&&pg_strncasecmp(query,"database",8)==0)`
`2052`	`2054`	`return true;`
`@@ -2061,7 +2063,7 @@ command_no_begin(const char *query)`
`2061`	`2063`	`query=skip_white_space(query);`
`2062`	`2064`	`wordlen=0;`
`2063`	`2065`	`while (isalpha((unsignedchar)query[wordlen]))`
`2064`		`-wordlen+=PQmblen(&query[wordlen],pset.encoding);`
	`2066`	`+wordlen+=PQmblenBounded(&query[wordlen],pset.encoding);`
`2065`	`2067`
`2066`	`2068`	`/*`
`2067`	`2069`	`* REINDEX [ TABLE \| INDEX ] CONCURRENTLY are not allowed in`
`@@ -2080,7 +2082,7 @@ command_no_begin(const char *query)`
`2080`	`2082`
`2081`	`2083`	`wordlen=0;`
`2082`	`2084`	`while (isalpha((unsignedchar)query[wordlen]))`
`2083`		`-wordlen+=PQmblen(&query[wordlen],pset.encoding);`
	`2085`	`+wordlen+=PQmblenBounded(&query[wordlen],pset.encoding);`
`2084`	`2086`
`2085`	`2087`	`if (wordlen==12&&pg_strncasecmp(query,"concurrently",12)==0)`
`2086`	`2088`	`return true;`
`@@ -2100,7 +2102,7 @@ command_no_begin(const char *query)`
`2100`	`2102`
`2101`	`2103`	`wordlen=0;`
`2102`	`2104`	`while (isalpha((unsignedchar)query[wordlen]))`
`2103`		`-wordlen+=PQmblen(&query[wordlen],pset.encoding);`
	`2105`	`+wordlen+=PQmblenBounded(&query[wordlen],pset.encoding);`
`2104`	`2106`
`2105`	`2107`	`if (wordlen==3&&pg_strncasecmp(query,"all",3)==0)`
`2106`	`2108`	`return true;`
`@@ -2136,7 +2138,7 @@ is_select_command(const char *query)`
`2136`	`2138`	`*/`
`2137`	`2139`	`wordlen=0;`
`2138`	`2140`	`while (isalpha((unsignedchar)query[wordlen]))`
`2139`		`-wordlen+=PQmblen(&query[wordlen],pset.encoding);`
	`2141`	`+wordlen+=PQmblenBounded(&query[wordlen],pset.encoding);`
`2140`	`2142`
`2141`	`2143`	`if (wordlen==6&&pg_strncasecmp(query,"select",6)==0)`
`2142`	`2144`	`return true;`

`‎src/bin/psql/psqlscanslash.l`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,8 @@`
`28`	`28`	`%{`
`29`	`29`	`#include"fe_utils/psqlscan_int.h"`
`30`	`30`
	`31`	`+#definePQmblenBounded(s, e) strnlen(s, PQmblen(s, e))`
	`32`	`+`
`31`	`33`	`/*`
`32`	`34`	`* We must have a typedef YYSTYPE for yylex's first argument, but this lexer`
`33`	`35`	`* doesn't presently make use of that argument, so just declare it as int.`
`@@ -753,7 +755,7 @@ dequote_downcase_identifier(char *str, bool downcase, int encoding)`
`753`	`755`	`{`
`754`	`756`	`if (downcase && !inquotes)`
`755`	`757`	`cp =pg_tolower((unsignedchar) cp);`
`756`		`-cp +=PQmblen(cp, encoding);`
	`758`	`+cp +=PQmblenBounded(cp, encoding);`
`757`	`759`	`}`
`758`	`760`	`}`
`759`	`761`	`}`

`‎src/bin/psql/stringutils.c`

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,8 @@`
`12`	`12`	`#include"common.h"`
`13`	`13`	`#include"stringutils.h"`
`14`	`14`
	`15`	`+#definePQmblenBounded(s,e) strnlen(s, PQmblen(s, e))`
	`16`	`+`
`15`	`17`
`16`	`18`	`/*`
`17`	`19`	`* Replacement for strtok() (a.k.a. poor man's flex)`
`@@ -143,7 +145,7 @@ strtokx(const char *s,`
`143`	`145`	`/* okay, we have a quoted token, now scan for the closer */`
`144`	`146`	`charthisquote=*p++;`
`145`	`147`
`146`		`-for (;*p;p+=PQmblen(p,encoding))`
	`148`	`+for (;*p;p+=PQmblenBounded(p,encoding))`
`147`	`149`	`{`
`148`	`150`	`if (*p==escape&&p[1]!='\0')`
`149`	`151`	`p++;/* process escaped anything */`
`@@ -262,7 +264,7 @@ strip_quotes(char *source, char quote, char escape, int encoding)`
`262`	`264`	`elseif (c==escape&&src[1]!='\0')`
`263`	`265`	`src++;/* process escaped character */`
`264`	`266`
`265`		`-i=PQmblen(src,encoding);`
	`267`	`+i=PQmblenBounded(src,encoding);`
`266`	`268`	`while (i--)`
`267`	`269`	`dst++=src++;`
`268`	`270`	`}`
`@@ -324,7 +326,7 @@ quote_if_needed(const char source, const char entails_quote,`
`324`	`326`	`elseif (strchr(entails_quote,c))`
`325`	`327`	`need_quotes= true;`
`326`	`328`
`327`		`-i=PQmblen(src,encoding);`
	`329`	`+i=PQmblenBounded(src,encoding);`
`328`	`330`	`while (i--)`
`329`	`331`	`dst++=src++;`
`330`	`332`	`}`

`‎src/bin/psql/tab-complete.c`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,8 @@`
`73`	`73`	`#defineUSE_FILENAME_QUOTING_FUNCTIONS 1`
`74`	`74`	`#endif`
`75`	`75`
	`76`	`+#definePQmblenBounded(s,e) strnlen(s, PQmblen(s, e))`
	`77`	`+`
`76`	`78`	`/* word break characters */`
`77`	`79`	`#defineWORD_BREAKS"\t\n@$><=;\|&{() "`
`78`	`80`
`@@ -4140,7 +4142,7 @@ _complete_from_query(const char *simple_query,`
`4140`	`4142`	`while (*pstr)`
`4141`	`4143`	`{`
`4142`	`4144`	`char_length++;`
`4143`		`-pstr+=PQmblen(pstr,pset.encoding);`
	`4145`	`+pstr+=PQmblenBounded(pstr,pset.encoding);`
`4144`	`4146`	`}`
`4145`	`4147`
`4146`	`4148`	`/* Free any prior result */`

`‎src/bin/scripts/common.c`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,8 @@`
`25`	`25`
`26`	`26`	`#defineERRCODE_UNDEFINED_TABLE "42P01"`
`27`	`27`
	`28`	`+#definePQmblenBounded(s,e) strnlen(s, PQmblen(s, e))`
	`29`	`+`
`28`	`30`	`/*`
`29`	`31`	`* Provide strictly harmonized handling of --help and --version`
`30`	`32`	`* options.`
`@@ -368,7 +370,7 @@ splitTableColumnsSpec(const char *spec, int encoding,`
`368`	`370`	`cp++;`
`369`	`371`	`}`
`370`	`372`	`else`
`371`		`-cp+=PQmblen(cp,encoding);`
	`373`	`+cp+=PQmblenBounded(cp,encoding);`
`372`	`374`	`}`
`373`	`375`	`*table=pnstrdup(spec,cp-spec);`
`374`	`376`	`*columns=cp;`

`‎src/common/jsonapi.c`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -738,7 +738,7 @@ json_lex_string(JsonLexContext *lex)`
`738`	`738`	`ch= (ch16)+ (s-'A')+10;`
`739`	`739`	`else`
`740`	`740`	`{`
`741`		`-lex->token_terminator=s+pg_encoding_mblen(lex->input_encoding,s);`
	`741`	`+lex->token_terminator=s+pg_encoding_mblen_bounded(lex->input_encoding,s);`
`742`	`742`	`returnJSON_UNICODE_ESCAPE_FORMAT;`
`743`	`743`	`}`
`744`	`744`	`}`
`@@ -844,7 +844,7 @@ json_lex_string(JsonLexContext *lex)`
`844`	`844`	`default:`
`845`	`845`	`/* Not a valid string escape, so signal error. */`
`846`	`846`	`lex->token_start=s;`
`847`		`-lex->token_terminator=s+pg_encoding_mblen(lex->input_encoding,s);`
	`847`	`+lex->token_terminator=s+pg_encoding_mblen_bounded(lex->input_encoding,s);`
`848`	`848`	`returnJSON_ESCAPING_INVALID;`
`849`	`849`	`}`
`850`	`850`	`}`
`@@ -858,7 +858,7 @@ json_lex_string(JsonLexContext *lex)`
`858`	`858`	`* shown it's not a performance win.`
`859`	`859`	`*/`
`860`	`860`	`lex->token_start=s;`
`861`		`-lex->token_terminator=s+pg_encoding_mblen(lex->input_encoding,s);`
	`861`	`+lex->token_terminator=s+pg_encoding_mblen_bounded(lex->input_encoding,s);`
`862`	`862`	`returnJSON_ESCAPING_INVALID;`
`863`	`863`	`}`
`864`	`864`

`‎src/common/wchar.c`

Lines changed: 15 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1549,6 +1549,11 @@ const pg_wchar_tbl pg_wchar_table[] = {`
`1549`	`1549`
`1550`	`1550`	`/*`
`1551`	`1551`	`* Returns the byte length of a multibyte character.`
	`1552`	`+ *`
	`1553`	`+ * Caution: when dealing with text that is not certainly valid in the`
	`1554`	`+ * specified encoding, the result may exceed the actual remaining`
	`1555`	`+ * string length. Callers that are not prepared to deal with that`
	`1556`	`+ * should use pg_encoding_mblen_bounded() instead.`
`1552`	`1557`	`*/`
`1553`	`1558`	`int`
`1554`	`1559`	`pg_encoding_mblen(intencoding,constchar*mbstr)`
`@@ -1558,6 +1563,16 @@ pg_encoding_mblen(int encoding, const char *mbstr)`
`1558`	`1563`	`pg_wchar_table[PG_SQL_ASCII].mblen((constunsignedchar*)mbstr));`
`1559`	`1564`	`}`
`1560`	`1565`
	`1566`	`+/*`
	`1567`	`+ * Returns the byte length of a multibyte character; but not more than`
	`1568`	`+ * the distance to end of string.`
	`1569`	`+ */`
	`1570`	`+int`
	`1571`	`+pg_encoding_mblen_bounded(intencoding,constchar*mbstr)`
	`1572`	`+{`
	`1573`	`+returnstrnlen(mbstr,pg_encoding_mblen(encoding,mbstr));`
	`1574`	`+}`
	`1575`	`+`
`1561`	`1576`	`/*`
`1562`	`1577`	`* Returns the display length of a multibyte character.`
`1563`	`1578`	`*/`

`‎src/fe_utils/print.c`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3652,6 +3652,9 @@ strlen_max_width(unsigned char str, int target_width, int encoding)`
`3652`	`3652`	`curr_width+=char_width;`
`3653`	`3653`
`3654`	`3654`	`str+=PQmblen((char*)str,encoding);`
	`3655`	`+`
	`3656`	`+if (str>end)/* Don't overrun invalid string */`
	`3657`	`+str=end;`
`3655`	`3658`	`}`
`3656`	`3659`
`3657`	`3660`	`*target_width=curr_width;`

`‎src/include/mb/pg_wchar.h`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -553,6 +553,7 @@ extern intpg_valid_server_encoding_id(int encoding);`
`553`	`553`	`* earlier in this file are also available from libpgcommon.`
`554`	`554`	`*/`
`555`	`555`	`externintpg_encoding_mblen(intencoding,constchar*mbstr);`
	`556`	`+externintpg_encoding_mblen_bounded(intencoding,constchar*mbstr);`
`556`	`557`	`externintpg_encoding_dsplen(intencoding,constchar*mbstr);`
`557`	`558`	`externintpg_encoding_verifymb(intencoding,constchar*mbstr,intlen);`
`558`	`559`	`externintpg_encoding_max_length(intencoding);`

`‎src/interfaces/libpq/fe-print.c`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@`
`36`	`36`	`#include"libpq-fe.h"`
`37`	`37`	`#include"libpq-int.h"`
`38`	`38`
	`39`	`+#definePQmblenBounded(s,e) strnlen(s, PQmblen(s, e))`
`39`	`40`
`40`	`41`	`staticvoiddo_field(constPQprintOptpo,constPGresultres,`
`41`	`42`	`constinti,constintj,constintfs_len,`
`@@ -365,7 +366,7 @@ do_field(const PQprintOpt po, const PGresult res,`
`365`	`366`	`/* Detect whether field contains non-numeric data */`
`366`	`367`	`charch='0';`
`367`	`368`
`368`		`-for (p=pval;*p;p+=PQmblen(p,res->client_encoding))`
	`369`	`+for (p=pval;*p;p+=PQmblenBounded(p,res->client_encoding))`
`369`	`370`	`{`
`370`	`371`	`ch=*p;`
`371`	`372`	`if (!((ch >='0'&&ch <='9')\|\|`

`‎src/interfaces/libpq/fe-protocol3.c`

Lines changed: 4 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,8 @@`
`39`	`39`	`((id) == 'T' \|\| (id) == 'D' \|\| (id) == 'd' \|\| (id) == 'V' \|\| \`
`40`	`40`	`(id) == 'E' \|\| (id) == 'N' \|\| (id) == 'A')`
`41`	`41`
	`42`	`+#definePQmblenBounded(s,e) strnlen(s, PQmblen(s, e))`
	`43`	`+`
`42`	`44`
`43`	`45`	`staticvoidhandleSyncLoss(PGconn*conn,charid,intmsgLength);`
`44`	`46`	`staticintgetRowDescriptions(PGconn*conn,intmsgLength);`
`@@ -1241,7 +1243,7 @@ reportErrorPosition(PQExpBuffer msg, const char *query, int loc, int encoding)`
`1241`	`1243`	`if (w <=0)`
`1242`	`1244`	`w=1;`
`1243`	`1245`	`scroffset+=w;`
`1244`		`-qoffset+=pg_encoding_mblen(encoding,&wquery[qoffset]);`
	`1246`	`+qoffset+=PQmblenBounded(&wquery[qoffset],encoding);`
`1245`	`1247`	`}`
`1246`	`1248`	`else`
`1247`	`1249`	`{`
`@@ -1309,7 +1311,7 @@ reportErrorPosition(PQExpBuffer msg, const char *query, int loc, int encoding)`
`1309`	`1311`	`* width.`
`1310`	`1312`	`*/`
`1311`	`1313`	`scroffset=0;`
`1312`		`-for (;i<msg->len;i+=pg_encoding_mblen(encoding,&msg->data[i]))`
	`1314`	`+for (;i<msg->len;i+=PQmblenBounded(&msg->data[i],encoding))`
`1313`	`1315`	`{`
`1314`	`1316`	`intw=pg_encoding_dsplen(encoding,&msg->data[i]);`
`1315`	`1317`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit5b64368

File tree

11 files changed

11 files changed

`‎src/bin/psql/common.c`

`‎src/bin/psql/psqlscanslash.l`

`‎src/bin/psql/stringutils.c`

`‎src/bin/psql/tab-complete.c`

`‎src/bin/scripts/common.c`

`‎src/common/jsonapi.c`

`‎src/common/wchar.c`

`‎src/fe_utils/print.c`

`‎src/include/mb/pg_wchar.h`

`‎src/interfaces/libpq/fe-print.c`

`‎src/interfaces/libpq/fe-protocol3.c`

0 commit comments