Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commitad1e827

Browse files
committed
Avoid possibly accessing off the end of memory in examine_attribute().
Since the last couple of columns of pg_type are often NULL,sizeof(FormData_pg_type) can be an overestimate of the actual size of thetuple data part. Therefore memcpy'ing that much out of the catalog cache,as analyze.c was doing, poses a small risk of copying past the end ofmemory and incurring SIGSEGV. No such crash has been identified in thefield, but we've certainly seen the equivalent happen in other code paths,so patch this one all the way back.Per valgrind testing by Noah Misch, though this is not his proposed patch.I chose to use SearchSysCacheCopy1 rather than inventing special-purposeinfrastructure for copying only the minimal part of a pg_type tuple.
1 parentdcc728e commitad1e827

File tree

1 file changed

+4
-5
lines changed

1 file changed

+4
-5
lines changed

‎src/backend/commands/analyze.c

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -831,12 +831,11 @@ examine_attribute(Relation onerel, int attnum, Node *index_expr)
831831
stats->attrtypmod=attr->atttypmod;
832832
}
833833

834-
typtuple=SearchSysCache1(TYPEOID,ObjectIdGetDatum(stats->attrtypid));
834+
typtuple=SearchSysCacheCopy1(TYPEOID,
835+
ObjectIdGetDatum(stats->attrtypid));
835836
if (!HeapTupleIsValid(typtuple))
836837
elog(ERROR,"cache lookup failed for type %u",stats->attrtypid);
837-
stats->attrtype= (Form_pg_type)palloc(sizeof(FormData_pg_type));
838-
memcpy(stats->attrtype,GETSTRUCT(typtuple),sizeof(FormData_pg_type));
839-
ReleaseSysCache(typtuple);
838+
stats->attrtype= (Form_pg_type)GETSTRUCT(typtuple);
840839
stats->anl_context=anl_context;
841840
stats->tupattnum=attnum;
842841

@@ -865,7 +864,7 @@ examine_attribute(Relation onerel, int attnum, Node *index_expr)
865864

866865
if (!ok||stats->compute_stats==NULL||stats->minrows <=0)
867866
{
868-
pfree(stats->attrtype);
867+
heap_freetuple(typtuple);
869868
pfree(stats->attr);
870869
pfree(stats);
871870
returnNULL;

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp