Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc66256b

Browse files
committed
Fix inadequately-sized output buffer in contrib/unaccent.
The output buffer size in unaccent_lexize() was calculated as input stringlength times pg_database_encoding_max_length(), which effectively assumesthat replacement strings aren't more than one character. While that wasall that we previously documented it to support, the code actually hasalways allowed replacement strings of arbitrary length; so if you triedto make use of longer strings, you were at risk of buffer overrun. To fix,use an expansible StringInfo buffer instead of trying to determine themaximum space needed a-priori.This would be a security issue if unaccent rules files could be installedby unprivileged users; but fortunately they can't, so in the back branchesthe problem can be labeled as improper configuration by a superuser.Nonetheless, a memory stomp isn't a nice way of reacting to improperconfiguration, so let's back-patch the fix.
1 parentf6d6b7b commitc66256b

File tree

1 file changed

+27
-24
lines changed

1 file changed

+27
-24
lines changed

‎contrib/unaccent/unaccent.c‎

Lines changed: 27 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515

1616
#include"catalog/namespace.h"
1717
#include"commands/defrem.h"
18+
#include"lib/stringinfo.h"
1819
#include"tsearch/ts_cache.h"
1920
#include"tsearch/ts_locale.h"
2021
#include"tsearch/ts_public.h"
@@ -265,46 +266,48 @@ unaccent_lexize(PG_FUNCTION_ARGS)
265266
SuffixChar*rootSuffixTree= (SuffixChar*)PG_GETARG_POINTER(0);
266267
char*srcchar= (char*)PG_GETARG_POINTER(1);
267268
int32len=PG_GETARG_INT32(2);
268-
char*srcstart,
269-
*trgchar=NULL;
270-
intcharlen;
271-
TSLexeme*res=NULL;
272-
SuffixChar*node;
269+
char*srcstart=srcchar;
270+
TSLexeme*res;
271+
StringInfoDatabuf;
272+
273+
/* we allocate storage for the buffer only if needed */
274+
buf.data=NULL;
273275

274-
srcstart=srcchar;
275276
while (srcchar-srcstart<len)
276277
{
278+
SuffixChar*node;
279+
intcharlen;
280+
277281
charlen=pg_mblen(srcchar);
278282

279283
node=findReplaceTo(rootSuffixTree, (unsignedchar*)srcchar,charlen);
280284
if (node&&node->replaceTo)
281285
{
282-
if (!res)
286+
if (buf.data==NULL)
283287
{
284-
/* allocate res only if it's needed */
285-
res=palloc0(sizeof(TSLexeme)*2);
286-
res->lexeme=trgchar=palloc(len*pg_database_encoding_max_length()+1/* \0 */ );
287-
res->flags=TSL_FILTER;
288+
/* initialize buffer */
289+
initStringInfo(&buf);
290+
/* insert any data we already skipped over */
288291
if (srcchar!=srcstart)
289-
{
290-
memcpy(trgchar,srcstart,srcchar-srcstart);
291-
trgchar+= (srcchar-srcstart);
292-
}
292+
appendBinaryStringInfo(&buf,srcstart,srcchar-srcstart);
293293
}
294-
memcpy(trgchar,node->replaceTo,node->replacelen);
295-
trgchar+=node->replacelen;
296-
}
297-
elseif (res)
298-
{
299-
memcpy(trgchar,srcchar,charlen);
300-
trgchar+=charlen;
294+
appendBinaryStringInfo(&buf,node->replaceTo,node->replacelen);
301295
}
296+
elseif (buf.data!=NULL)
297+
appendBinaryStringInfo(&buf,srcchar,charlen);
302298

303299
srcchar+=charlen;
304300
}
305301

306-
if (res)
307-
*trgchar='\0';
302+
/* return a result only if we made at least one substitution */
303+
if (buf.data!=NULL)
304+
{
305+
res= (TSLexeme*)palloc0(sizeof(TSLexeme)*2);
306+
res->lexeme=buf.data;
307+
res->flags=TSL_FILTER;
308+
}
309+
else
310+
res=NULL;
308311

309312
PG_RETURN_POINTER(res);
310313
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp