NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitbb36c51

committed

Fix several bugs in tsvectorin, including crash due to uninitialized field and

miscomputation of required palloc size. The crash could only occur if theinput contained lexemes both with and without positions, which is probably notcommon in practice. The miscomputation would definitely result in wastedspace. Also fix some inconsistent coding around alignment of strings andpositions in a tsvector value; these errors could also lead to crashes givenmixed with/without position data and a machine that's picky about alignment.And be more careful about checking for overflow of string offsets.Patch is only against HEAD --- I have not looked to see if same bugs arein back-branch contrib/tsearch2 code.

1 parentf551348 commitbb36c51Copy full SHA for bb36c51

File tree

3 files changed

+166

-126

lines changed

src/backend
- tsearch
  - to_tsany.c
- utils/adt
  - tsvector.c
  - tsvector_op.c

3 files changed

+166

-126

lines changed

`‎src/backend/tsearch/to_tsany.c`

Lines changed: 26 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`	`*`
`8`	`8`	`*`
`9`	`9`	`* IDENTIFICATION`
`10`		`- * $PostgreSQL: pgsql/src/backend/tsearch/to_tsany.c,v 1.4 2007/09/26 10:09:57 teodor Exp $`
	`10`	`+ * $PostgreSQL: pgsql/src/backend/tsearch/to_tsany.c,v 1.5 2007/10/23 00:51:23 tgl Exp $`
`11`	`11`	`*`
`12`	`12`	`*-------------------------------------------------------------------------`
`13`	`13`	`*/`
`@@ -140,55 +140,64 @@ uniqueWORD(ParsedWord * a, int4 l)`
`140`	`140`	`TSVector`
`141`	`141`	`make_tsvector(ParsedText*prs)`
`142`	`142`	`{`
`143`		`-int4i,`
	`143`	`+inti,`
`144`	`144`	`j,`
`145`	`145`	`lenstr=0,`
`146`	`146`	`totallen;`
`147`	`147`	`TSVectorin;`
`148`	`148`	`WordEntry*ptr;`
`149`		`-char*str,`
`150`		`-*cur;`
	`149`	`+char*str;`
	`150`	`+intstroff;`
`151`	`151`
`152`	`152`	`prs->curwords=uniqueWORD(prs->words,prs->curwords);`
`153`	`153`	`for (i=0;i<prs->curwords;i++)`
`154`	`154`	`{`
`155`		`-lenstr+=SHORTALIGN(prs->words[i].len);`
`156`		`-`
	`155`	`+lenstr+=prs->words[i].len;`
`157`	`156`	`if (prs->words[i].alen)`
	`157`	`+{`
	`158`	`+lenstr=SHORTALIGN(lenstr);`
`158`	`159`	`lenstr+=sizeof(uint16)+prs->words[i].pos.apos[0]*sizeof(WordEntryPos);`
	`160`	`+}`
`159`	`161`	`}`
`160`	`162`
	`163`	`+if (lenstr>MAXSTRPOS)`
	`164`	`+ereport(ERROR,`
	`165`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`166`	`+errmsg("string is too long for tsvector")));`
	`167`	`+`
`161`	`168`	`totallen=CALCDATASIZE(prs->curwords,lenstr);`
`162`	`169`	`in= (TSVector)palloc0(totallen);`
`163`	`170`	`SET_VARSIZE(in,totallen);`
`164`	`171`	`in->size=prs->curwords;`
`165`	`172`
`166`	`173`	`ptr=ARRPTR(in);`
`167`		`-cur=str=STRPTR(in);`
	`174`	`+str=STRPTR(in);`
	`175`	`+stroff=0;`
`168`	`176`	`for (i=0;i<prs->curwords;i++)`
`169`	`177`	`{`
`170`	`178`	`ptr->len=prs->words[i].len;`
`171`		`-if (cur-str>MAXSTRPOS)`
`172`		`-ereport(ERROR,`
`173`		`-(errcode(ERRCODE_SYNTAX_ERROR),`
`174`		`-errmsg("string is too long for tsvector")));`
`175`		`-ptr->pos=cur-str;`
`176`		`-memcpy((void)cur, (void)prs->words[i].word,prs->words[i].len);`
	`179`	`+ptr->pos=stroff;`
	`180`	`+memcpy(str+stroff,prs->words[i].word,prs->words[i].len);`
	`181`	`+stroff+=prs->words[i].len;`
`177`	`182`	`pfree(prs->words[i].word);`
`178`		`-cur+=SHORTALIGN(prs->words[i].len);`
`179`	`183`	`if (prs->words[i].alen)`
`180`	`184`	`{`
	`185`	`+intk=prs->words[i].pos.apos[0];`
`181`	`186`	`WordEntryPos*wptr;`
`182`	`187`
	`188`	`+if (k>0xFFFF)`
	`189`	`+elog(ERROR,"positions array too long");`
	`190`	`+`
`183`	`191`	`ptr->haspos=1;`
`184`		`-(uint16)cur=prs->words[i].pos.apos[0];`
	`192`	`+stroff=SHORTALIGN(stroff);`
	`193`	`+(uint16) (str+stroff)= (uint16)k;`
`185`	`194`	`wptr=POSDATAPTR(in,ptr);`
`186`		`-for (j=0;j<(uint16)cur;j++)`
	`195`	`+for (j=0;j<k;j++)`
`187`	`196`	`{`
`188`	`197`	`WEP_SETWEIGHT(wptr[j],0);`
`189`	`198`	`WEP_SETPOS(wptr[j],prs->words[i].pos.apos[j+1]);`
`190`	`199`	`}`
`191`		`-cur+=sizeof(uint16)+prs->words[i].pos.apos[0]*sizeof(WordEntryPos);`
	`200`	`+stroff+=sizeof(uint16)+k*sizeof(WordEntryPos);`
`192`	`201`	`pfree(prs->words[i].pos.apos);`
`193`	`202`	`}`
`194`	`203`	`else`

`‎src/backend/utils/adt/tsvector.c`

Lines changed: 74 additions & 63 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`	`*`
`8`	`8`	`*`
`9`	`9`	`* IDENTIFICATION`
`10`		`- * $PostgreSQL: pgsql/src/backend/utils/adt/tsvector.c,v 1.5 2007/10/21 22:29:56 tgl Exp $`
	`10`	`+ * $PostgreSQL: pgsql/src/backend/utils/adt/tsvector.c,v 1.6 2007/10/23 00:51:23 tgl Exp $`
`11`	`11`	`*`
`12`	`12`	`*-------------------------------------------------------------------------`
`13`	`13`	`*/`
`@@ -22,16 +22,18 @@`
`22`	`22`
`23`	`23`	`typedefstruct`
`24`	`24`	`{`
`25`		`-WordEntryentry;/should be first! /`
	`25`	`+WordEntryentry;/must be first! /`
`26`	`26`	`WordEntryPos*pos;`
`27`	`27`	`intposlen;/* number of elements in pos */`
`28`	`28`	`}WordEntryIN;`
`29`	`29`
	`30`	`+`
	`31`	`+/* Compare two WordEntryPos values for qsort */`
`30`	`32`	`staticint`
`31`	`33`	`comparePos(constvoida,constvoidb)`
`32`	`34`	`{`
`33`		`-intapos=WEP_GETPOS((WordEntryPos)a);`
`34`		`-intbpos=WEP_GETPOS((WordEntryPos)b);`
	`35`	`+intapos=WEP_GETPOS((constWordEntryPos)a);`
	`36`	`+intbpos=WEP_GETPOS((constWordEntryPos)b);`
`35`	`37`
`36`	`38`	`if (apos==bpos)`
`37`	`39`	`return0;`
`@@ -53,17 +55,18 @@ uniquePos(WordEntryPos * a, int l)`
`53`	`55`	`if (l <=1)`
`54`	`56`	`returnl;`
`55`	`57`
`56`		`-res=a;`
`57`	`58`	`qsort((void*)a,l,sizeof(WordEntryPos),comparePos);`
`58`	`59`
	`60`	`+res=a;`
`59`	`61`	`ptr=a+1;`
`60`	`62`	`while (ptr-a<l)`
`61`	`63`	`{`
`62`	`64`	`if (WEP_GETPOS(ptr)!=WEP_GETPOS(res))`
`63`	`65`	`{`
`64`	`66`	`res++;`
`65`	`67`	`res=ptr;`
`66`		`-if (res-a >=MAXNUMPOS-1\|\|WEP_GETPOS(*res)==MAXENTRYPOS-1)`
	`68`	`+if (res-a >=MAXNUMPOS-1\|\|`
	`69`	`+WEP_GETPOS(*res)==MAXENTRYPOS-1)`
`67`	`70`	`break;`
`68`	`71`	`}`
`69`	`72`	`elseif (WEP_GETWEIGHT(ptr)>WEP_GETWEIGHT(res))`
`@@ -74,12 +77,13 @@ uniquePos(WordEntryPos * a, int l)`
`74`	`77`	`returnres+1-a;`
`75`	`78`	`}`
`76`	`79`
	`80`	`+/* Compare two WordEntryIN values for qsort */`
`77`	`81`	`staticint`
`78`	`82`	`compareentry(constvoidva,constvoidvb,void*arg)`
`79`	`83`	`{`
	`84`	`+constWordEntryINa= (constWordEntryIN)va;`
	`85`	`+constWordEntryINb= (constWordEntryIN)vb;`
`80`	`86`	`charBufferStr= (char)arg;`
`81`		`-WordEntryINa= (WordEntryIN)va;`
`82`		`-WordEntryINb= (WordEntryIN)vb;`
`83`	`87`
`84`	`88`	`if (a->entry.len==b->entry.len)`
`85`	`89`	`{`
`@@ -91,82 +95,78 @@ compareentry(const void va, const void vb, void *arg)`
`91`	`95`	`return (a->entry.len>b->entry.len) ?1 :-1;`
`92`	`96`	`}`
`93`	`97`
	`98`	`+/*`
	`99`	`+ * Sort an array of WordEntryIN, remove duplicates.`
	`100`	`+ * *outbuflen receives the amount of space needed for strings and positions.`
	`101`	`+ */`
`94`	`102`	`staticint`
`95`	`103`	`uniqueentry(WordEntryINa,intl,charbuf,int*outbuflen)`
`96`	`104`	`{`
	`105`	`+intbuflen;`
`97`	`106`	`WordEntryIN*ptr,`
`98`	`107`	`*res;`
`99`	`108`
`100`	`109`	`Assert(l >=1);`
`101`	`110`
`102`		`-if (l==1)`
`103`		`-{`
`104`		`-if (a->entry.haspos)`
`105`		`-{`
`106`		`-a->poslen=uniquePos(a->pos,a->poslen);`
`107`		`-outbuflen=SHORTALIGN(a->entry.len)+ (a->poslen+1)sizeof(WordEntryPos);`
`108`		`-}`
`109`		`-else`
`110`		`-*outbuflen=a->entry.len;`
	`111`	`+if (l>1)`
	`112`	`+qsort_arg((void*)a,l,sizeof(WordEntryIN),compareentry,`
	`113`	`+ (void*)buf);`
`111`	`114`
`112`		`-returnl;`
`113`		`-}`
	`115`	`+buflen=0;`
`114`	`116`	`res=a;`
`115`		`-`
`116`	`117`	`ptr=a+1;`
`117`		`-qsort_arg((void)a,l,sizeof(WordEntryIN),compareentry, (void)buf);`
`118`		`-`
`119`	`118`	`while (ptr-a<l)`
`120`	`119`	`{`
`121`	`120`	`if (!(ptr->entry.len==res->entry.len&&`
`122`		`-strncmp(&buf[ptr->entry.pos],&buf[res->entry.pos],res->entry.len)==0))`
	`121`	`+strncmp(&buf[ptr->entry.pos],&buf[res->entry.pos],`
	`122`	`+res->entry.len)==0))`
`123`	`123`	`{`
	`124`	`+/* done accumulating data into res, count space needed /`
	`125`	`+buflen+=res->entry.len;`
`124`	`126`	`if (res->entry.haspos)`
`125`	`127`	`{`
`126`		`-*outbuflen+=SHORTALIGN(res->entry.len);`
`127`	`128`	`res->poslen=uniquePos(res->pos,res->poslen);`
`128`		`-outbuflen+=res->poslensizeof(WordEntryPos);`
	`129`	`+buflen=SHORTALIGN(buflen);`
	`130`	`+buflen+=res->poslen*sizeof(WordEntryPos)+sizeof(uint16);`
`129`	`131`	`}`
`130`		`-else`
`131`		`-*outbuflen+=res->entry.len;`
`132`	`132`	`res++;`
`133`	`133`	`memcpy(res,ptr,sizeof(WordEntryIN));`
`134`	`134`	`}`
`135`	`135`	`elseif (ptr->entry.haspos)`
`136`	`136`	`{`
`137`	`137`	`if (res->entry.haspos)`
`138`	`138`	`{`
	`139`	`+/* append ptr's positions to res's positions */`
`139`	`140`	`intnewlen=ptr->poslen+res->poslen;`
`140`	`141`
`141`		`-/* Append res to pos */`
`142`		`-`
`143`		`-res->pos= (WordEntryPos)repalloc(res->pos,newlensizeof(WordEntryPos));`
`144`		`-memcpy(&res->pos[res->poslen],`
`145`		`-ptr->pos,ptr->poslen*sizeof(WordEntryPos));`
	`142`	`+res->pos= (WordEntryPos*)`
	`143`	`+repalloc(res->pos,newlen*sizeof(WordEntryPos));`
	`144`	`+memcpy(&res->pos[res->poslen],ptr->pos,`
	`145`	`+ptr->poslen*sizeof(WordEntryPos));`
`146`	`146`	`res->poslen=newlen;`
`147`	`147`	`pfree(ptr->pos);`
`148`	`148`	`}`
`149`	`149`	`else`
`150`	`150`	`{`
	`151`	`+/* just give ptr's positions to pos */`
`151`	`152`	`res->entry.haspos=1;`
`152`	`153`	`res->pos=ptr->pos;`
	`154`	`+res->poslen=ptr->poslen;`
`153`	`155`	`}`
`154`	`156`	`}`
`155`	`157`	`ptr++;`
`156`	`158`	`}`
`157`	`159`
`158`		`-/add last item /`
`159`		`-`
	`160`	`+/count space needed for last item /`
	`161`	`+buflen+=res->entry.len;`
`160`	`162`	`if (res->entry.haspos)`
`161`	`163`	`{`
`162`		`-*outbuflen+=SHORTALIGN(res->entry.len);`
`163`		`-`
`164`	`164`	`res->poslen=uniquePos(res->pos,res->poslen);`
`165`		`-outbuflen+=res->poslensizeof(WordEntryPos);`
	`165`	`+buflen=SHORTALIGN(buflen);`
	`166`	`+buflen+=res->poslen*sizeof(WordEntryPos)+sizeof(uint16);`
`166`	`167`	`}`
`167`		`-else`
`168`		`-*outbuflen+=res->entry.len;`
`169`	`168`
	`169`	`+*outbuflen=buflen;`
`170`	`170`	`returnres+1-a;`
`171`	`171`	`}`
`172`	`172`
`@@ -193,6 +193,8 @@ tsvectorin(PG_FUNCTION_ARGS)`
`193`	`193`	`inttoklen;`
`194`	`194`	`WordEntryPos*pos;`
`195`	`195`	`intposlen;`
	`196`	`+char*strbuf;`
	`197`	`+intstroff;`
`196`	`198`
`197`	`199`	`/*`
`198`	`200`	`* Tokens are appended to tmpbuf, cur is a pointer`
`@@ -212,27 +214,26 @@ tsvectorin(PG_FUNCTION_ARGS)`
`212`	`214`
`213`	`215`	`while (gettoken_tsvector(state,&token,&toklen,&pos,&poslen,NULL))`
`214`	`216`	`{`
`215`		`-`
`216`	`217`	`if (toklen >=MAXSTRLEN)`
`217`	`218`	`ereport(ERROR,`
`218`		`-(errcode(ERRCODE_SYNTAX_ERROR),`
	`219`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
`219`	`220`	`errmsg("word is too long (%ld bytes, max %ld bytes)",`
`220`	`221`	`(long)toklen,`
`221`		`-(long)MAXSTRLEN)));`
`222`		`-`
	`222`	`+(long) (MAXSTRLEN-1))));`
`223`	`223`
`224`	`224`	`if (cur-tmpbuf>MAXSTRPOS)`
`225`	`225`	`ereport(ERROR,`
`226`		`-(errcode(ERRCODE_SYNTAX_ERROR),`
`227`		`-errmsg("position valueis toolarge")));`
	`226`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`227`	`+errmsg("stringis toolong for tsvector")));`
`228`	`228`
`229`	`229`	`/*`
`230`	`230`	`* Enlarge buffers if needed`
`231`	`231`	`*/`
`232`	`232`	`if (len >=arrlen)`
`233`	`233`	`{`
`234`	`234`	`arrlen *=2;`
`235`		`-arr= (WordEntryIN)repalloc((void)arr,sizeof(WordEntryIN)*arrlen);`
	`235`	`+arr= (WordEntryIN*)`
	`236`	`+repalloc((void)arr,sizeof(WordEntryIN)arrlen);`
`236`	`237`	`}`
`237`	`238`	`while ((cur-tmpbuf)+toklen >=buflen)`
`238`	`239`	`{`
`@@ -254,7 +255,11 @@ tsvectorin(PG_FUNCTION_ARGS)`
`254`	`255`	`arr[len].poslen=poslen;`
`255`	`256`	`}`
`256`	`257`	`else`
	`258`	`+{`
`257`	`259`	`arr[len].entry.haspos=0;`
	`260`	`+arr[len].pos=NULL;`
	`261`	`+arr[len].poslen=0;`
	`262`	`+}`
`258`	`263`	`len++;`
`259`	`264`	`}`
`260`	`265`
`@@ -264,40 +269,45 @@ tsvectorin(PG_FUNCTION_ARGS)`
`264`	`269`	`len=uniqueentry(arr,len,tmpbuf,&buflen);`
`265`	`270`	`else`
`266`	`271`	`buflen=0;`
	`272`	`+`
	`273`	`+if (buflen>MAXSTRPOS)`
	`274`	`+ereport(ERROR,`
	`275`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`276`	`+errmsg("string is too long for tsvector")));`
	`277`	`+`
`267`	`278`	`totallen=CALCDATASIZE(len,buflen);`
`268`	`279`	`in= (TSVector)palloc0(totallen);`
`269`		`-`
`270`	`280`	`SET_VARSIZE(in,totallen);`
`271`	`281`	`in->size=len;`
`272`		`-cur=STRPTR(in);`
`273`	`282`	`inarr=ARRPTR(in);`
	`283`	`+strbuf=STRPTR(in);`
	`284`	`+stroff=0;`
`274`	`285`	`for (i=0;i<len;i++)`
`275`	`286`	`{`
`276`		`-memcpy((void)cur, (void)&tmpbuf[arr[i].entry.pos],arr[i].entry.len);`
`277`		`-arr[i].entry.pos=cur-STRPTR(in);`
`278`		`-cur+=SHORTALIGN(arr[i].entry.len);`
	`287`	`+memcpy(strbuf+stroff,&tmpbuf[arr[i].entry.pos],arr[i].entry.len);`
	`288`	`+arr[i].entry.pos=stroff;`
	`289`	`+stroff+=arr[i].entry.len;`
`279`	`290`	`if (arr[i].entry.haspos)`
`280`	`291`	`{`
`281`		`-uint16tmplen;`
`282`		`-`
`283`		`-if(arr[i].poslen>0xFFFF)`
	`292`	`+if (arr[i].poslen>0xFFFF)`
`284`	`293`	`elog(ERROR,"positions array too long");`
`285`	`294`
`286`		`-tmplen= (uint16)arr[i].poslen;`
`287`		`-`
`288`		`-/* Copy length to output struct */`
`289`		`-memcpy(cur,&tmplen,sizeof(uint16));`
`290`		`-cur+=sizeof(uint16);`
	`295`	`+/* Copy number of positions */`
	`296`	`+stroff=SHORTALIGN(stroff);`
	`297`	`+(uint16) (strbuf+stroff)= (uint16)arr[i].poslen;`
	`298`	`+stroff+=sizeof(uint16);`
`291`	`299`
`292`	`300`	`/* Copy positions */`
`293`		`-memcpy(cur,arr[i].pos,(arr[i].poslen)*sizeof(WordEntryPos));`
`294`		`-cur+=arr[i].poslen*sizeof(WordEntryPos);`
	`301`	`+memcpy(strbuf+stroff,arr[i].pos,arr[i].poslen*sizeof(WordEntryPos));`
	`302`	`+stroff+=arr[i].poslen*sizeof(WordEntryPos);`
`295`	`303`
`296`	`304`	`pfree(arr[i].pos);`
`297`	`305`	`}`
`298`	`306`	`inarr[i]=arr[i].entry;`
`299`	`307`	`}`
`300`	`308`
	`309`	`+Assert((strbuf+stroff- (char*)in)==totallen);`
	`310`	`+`
`301`	`311`	`PG_RETURN_TSVECTOR(in);`
`302`	`312`	`}`
`303`	`313`
`@@ -495,11 +505,12 @@ tsvectorrecv(PG_FUNCTION_ARGS)`
`495`	`505`
`496`	`506`	`datalen+=lex_len;`
`497`	`507`
`498`		`-if (i>0&&WordEntryCMP(&vec->entries[i],&vec->entries[i-1],STRPTR(vec)) <=0)`
	`508`	`+if (i>0&&WordEntryCMP(&vec->entries[i],`
	`509`	`+&vec->entries[i-1],`
	`510`	`+STRPTR(vec)) <=0)`
`499`	`511`	`elog(ERROR,"lexemes are misordered");`
`500`	`512`
`501`	`513`	`/* Receive positions */`
`502`		`-`
`503`	`514`	`if (npos>0)`
`504`	`515`	`{`
`505`	`516`	`uint16j;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitbb36c51

File tree

3 files changed

3 files changed

`‎src/backend/tsearch/to_tsany.c`

`‎src/backend/utils/adt/tsvector.c`

0 commit comments