Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit93809ad

Browse files
committed
Fix potential memory clobber in tsvector_concat().
tsvector_concat() allocated its result workspace using the "conservative"estimate of the sum of the two input tsvectors' sizes. Unfortunately thatwasn't so conservative as all that, because it supposed that the number ofpad bytes required could not grow. Which it can, as per test case fromJesper Krogh, if there's a mix of lexemes with positions and lexemeswithout them in the input data. The fix is to assume that we might adda not-previously-present pad byte for each and every lexeme in the twoinputs; which really is conservative, but it doesn't seem worthwhile totry to be more precise.This is an aboriginal bug in tsvector_concat, so back-patch to allversions containing it.
1 parent39a713e commit93809ad

File tree

1 file changed

+30
-6
lines changed

1 file changed

+30
-6
lines changed

‎src/backend/utils/adt/tsvector_op.c

Lines changed: 30 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -340,11 +340,14 @@ tsvector_concat(PG_FUNCTION_ARGS)
340340
j,
341341
i1,
342342
i2,
343-
dataoff;
343+
dataoff,
344+
output_bytes,
345+
output_size;
344346
char*data,
345347
*data1,
346348
*data2;
347349

350+
/* Get max position in in1; we'll need this to offset in2's positions */
348351
ptr=ARRPTR(in1);
349352
i=in1->size;
350353
while (i--)
@@ -368,10 +371,23 @@ tsvector_concat(PG_FUNCTION_ARGS)
368371
data2=STRPTR(in2);
369372
i1=in1->size;
370373
i2=in2->size;
371-
/* conservative estimate of space needed */
372-
out= (TSVector)palloc0(VARSIZE(in1)+VARSIZE(in2));
373-
SET_VARSIZE(out,VARSIZE(in1)+VARSIZE(in2));
374+
375+
/*
376+
* Conservative estimate of space needed. We might need all the data
377+
* in both inputs, and conceivably add a pad byte before position data
378+
* for each item where there was none before.
379+
*/
380+
output_bytes=VARSIZE(in1)+VARSIZE(in2)+i1+i2;
381+
382+
out= (TSVector)palloc0(output_bytes);
383+
SET_VARSIZE(out,output_bytes);
384+
385+
/*
386+
* We must make out->size valid so that STRPTR(out) is sensible. We'll
387+
* collapse out any unused space at the end.
388+
*/
374389
out->size=in1->size+in2->size;
390+
375391
ptr=ARRPTR(out);
376392
data=STRPTR(out);
377393
dataoff=0;
@@ -513,10 +529,18 @@ tsvector_concat(PG_FUNCTION_ARGS)
513529
(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
514530
errmsg("string is too long for tsvector (%d bytes, max %d bytes)",dataoff,MAXSTRPOS)));
515531

516-
out->size=ptr-ARRPTR(out);
517-
SET_VARSIZE(out,CALCDATASIZE(out->size,dataoff));
532+
/*
533+
* Adjust sizes (asserting that we didn't overrun the original estimates)
534+
* and collapse out any unused array entries.
535+
*/
536+
output_size=ptr-ARRPTR(out);
537+
Assert(output_size <=out->size);
538+
out->size=output_size;
518539
if (data!=STRPTR(out))
519540
memmove(STRPTR(out),data,dataoff);
541+
output_bytes=CALCDATASIZE(out->size,dataoff);
542+
Assert(output_bytes <=VARSIZE(out));
543+
SET_VARSIZE(out,output_bytes);
520544

521545
PG_FREE_IF_COPY(in1,0);
522546
PG_FREE_IF_COPY(in2,1);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp