NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitcd42dd5

committed

Fix core dump with buffer-overrun by too long infinitive. Add checking of using

fixed length arrays to prevent array's overrun. Per report byHannes Dorbath <light@theendofthetunnel.de> and comments by Tom.

1 parent0153c4c commitcd42dd5Copy full SHA for cd42dd5

File tree

1 file changed

+47

-32

lines changed

src/backend/tsearch
- spell.c

1 file changed

+47

-32

lines changed

`‎src/backend/tsearch/spell.c`

Lines changed: 47 additions & 32 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`	`*`
`8`	`8`	`*`
`9`	`9`	`* IDENTIFICATION`
`10`		`- * $PostgreSQL: pgsql/src/backend/tsearch/spell.c,v 1.9 2008/01/01 19:45:52 momjian Exp $`
	`10`	`+ * $PostgreSQL: pgsql/src/backend/tsearch/spell.c,v 1.10 2008/01/16 13:01:03 teodor Exp $`
`11`	`11`	`*`
`12`	`12`	`*-------------------------------------------------------------------------`
`13`	`13`	`*/`
`@@ -1327,8 +1327,7 @@ addToResult(char forms, char cur, char *word)`
`1327`	`1327`	`if (forms==cur\|\|strcmp(word,*(cur-1))!=0)`
`1328`	`1328`	`{`
`1329`	`1329`	`*cur=pstrdup(word);`
`1330`		`-cur++;`
`1331`		`-*cur=NULL;`
	`1330`	`+*(cur+1)=NULL;`
`1332`	`1331`	`return1;`
`1333`	`1332`	`}`
`1334`	`1333`
`@@ -1448,6 +1447,7 @@ NormalizeSubWord(IspellDict Conf, char word, int flag)`
`1448`	`1447`	`typedefstructSplitVar`
`1449`	`1448`	`{`
`1450`	`1449`	`intnstem;`
	`1450`	`+intlenstem;`
`1451`	`1451`	`char**stem;`
`1452`	`1452`	`structSplitVar*next;`
`1453`	`1453`	`}SplitVar;`
`@@ -1495,21 +1495,38 @@ CopyVar(SplitVar *s, int makedup)`
`1495`	`1495`	`{`
`1496`	`1496`	`SplitVarv= (SplitVar)palloc(sizeof(SplitVar));`
`1497`	`1497`
`1498`		`-v->stem= (char*)palloc(sizeof(char)* (MAX_NORM));`
`1499`	`1498`	`v->next=NULL;`
`1500`	`1499`	`if (s)`
`1501`	`1500`	`{`
`1502`	`1501`	`inti;`
`1503`	`1502`
	`1503`	`+v->lenstem=s->lenstem;`
	`1504`	`+v->stem= (char*)palloc(sizeof(char)*v->lenstem);`
`1504`	`1505`	`v->nstem=s->nstem;`
`1505`	`1506`	`for (i=0;i<s->nstem;i++)`
`1506`	`1507`	`v->stem[i]= (makedup) ?pstrdup(s->stem[i]) :s->stem[i];`
`1507`	`1508`	`}`
`1508`	`1509`	`else`
	`1510`	`+{`
	`1511`	`+v->lenstem=16;`
	`1512`	`+v->stem= (char*)palloc(sizeof(char)*v->lenstem);`
`1509`	`1513`	`v->nstem=0;`
	`1514`	`+}`
`1510`	`1515`	`returnv;`
`1511`	`1516`	`}`
`1512`	`1517`
	`1518`	`+staticvoid`
	`1519`	`+AddStem(SplitVarv,charword)`
	`1520`	`+{`
	`1521`	`+if (v->nstem >=v->lenstem )`
	`1522`	`+{`
	`1523`	`+v->lenstem *=2;`
	`1524`	`+v->stem= (char*)repalloc(v->stem,sizeof(char)*v->lenstem);`
	`1525`	`+}`
	`1526`	`+`
	`1527`	`+v->stem[v->nstem]=word;`
	`1528`	`+v->nstem++;`
	`1529`	`+}`
`1513`	`1530`
`1514`	`1531`	`staticSplitVar*`
`1515`	`1532`	`SplitToVariants(IspellDictConf,SPNodesnode,SplitVarorig,charword,intwordlen,intstartpos,intminpos)`
`@@ -1550,11 +1567,13 @@ SplitToVariants(IspellDict Conf, SPNode snode, SplitVar orig, char word, int`
`1550`	`1567`	`if (level+lenaff-1 <=minpos)`
`1551`	`1568`	`continue;`
`1552`	`1569`
	`1570`	`+if (lenaff >=MAXNORMLEN )`
	`1571`	`+continue;/* skip too big value */`
`1553`	`1572`	`if (lenaff>0)`
`1554`	`1573`	`memcpy(buf,word+startpos,lenaff);`
`1555`	`1574`	`buf[lenaff]='\0';`
`1556`	`1575`
`1557`		`-if (level==FF_COMPOUNDBEGIN)`
	`1576`	`+if (level==0)`
`1558`	`1577`	`compoundflag=FF_COMPOUNDBEGIN;`
`1559`	`1578`	`elseif (level==wordlen-1)`
`1560`	`1579`	`compoundflag=FF_COMPOUNDLAST;`
`@@ -1572,8 +1591,7 @@ SplitToVariants(IspellDict Conf, SPNode snode, SplitVar orig, char word, int`
`1572`	`1591`
`1573`	`1592`	`while (*sptr)`
`1574`	`1593`	`{`
`1575`		`-new->stem[new->nstem]=*sptr;`
`1576`		`-new->nstem++;`
	`1594`	`+AddStem(new,*sptr );`
`1577`	`1595`	`sptr++;`
`1578`	`1596`	`}`
`1579`	`1597`	`pfree(subres);`
`@@ -1624,8 +1642,7 @@ SplitToVariants(IspellDict Conf, SPNode snode, SplitVar orig, char word, int`
`1624`	`1642`	`if (wordlen==level+1)`
`1625`	`1643`	`{`
`1626`	`1644`	`/* well, it was last word */`
`1627`		`-var->stem[var->nstem]=pnstrdup(word+startpos,wordlen-startpos);`
`1628`		`-var->nstem++;`
	`1645`	`+AddStem(var,pnstrdup(word+startpos,wordlen-startpos) );`
`1629`	`1646`	`pfree(notprobed);`
`1630`	`1647`	`returnvar;`
`1631`	`1648`	`}`
`@@ -1639,8 +1656,7 @@ SplitToVariants(IspellDict Conf, SPNode snode, SplitVar orig, char word, int`
`1639`	`1656`	`ptr->next=SplitToVariants(Conf,node,var,word,wordlen,startpos,level);`
`1640`	`1657`	`/* we can find next word */`
`1641`	`1658`	`level++;`
`1642`		`-var->stem[var->nstem]=pnstrdup(word+startpos,level-startpos);`
`1643`		`-var->nstem++;`
	`1659`	`+AddStem(var,pnstrdup(word+startpos,level-startpos) );`
`1644`	`1660`	`node=Conf->Dictionary;`
`1645`	`1661`	`startpos=level;`
`1646`	`1662`	`continue;`
`@@ -1654,12 +1670,26 @@ SplitToVariants(IspellDict Conf, SPNode snode, SplitVar orig, char word, int`
`1654`	`1670`	`level++;`
`1655`	`1671`	`}`
`1656`	`1672`
`1657`		`-var->stem[var->nstem]=pnstrdup(word+startpos,wordlen-startpos);`
`1658`		`-var->nstem++;`
	`1673`	`+AddStem(var,pnstrdup(word+startpos,wordlen-startpos) );`
`1659`	`1674`	`pfree(notprobed);`
`1660`	`1675`	`returnvar;`
`1661`	`1676`	`}`
`1662`	`1677`
	`1678`	`+staticvoid`
	`1679`	`+addNorm(TSLexemelres,TSLexemelcur,char*word,intflags,uint16NVariant)`
	`1680`	`+{`
	`1681`	`+if (*lres==NULL )`
	`1682`	`+lcur=lres= (TSLexeme)palloc(MAX_NORMsizeof(TSLexeme));`
	`1683`	`+`
	`1684`	`+if (lcur-lres<MAX_NORM-1 ) {`
	`1685`	`+(*lcur)->lexeme=word;`
	`1686`	`+(*lcur)->flags=flags;`
	`1687`	`+(*lcur)->nvariant=NVariant;`
	`1688`	`+(*lcur)++;`
	`1689`	`+(*lcur)->lexeme=NULL;`
	`1690`	`+}`
	`1691`	`+}`
	`1692`	`+`
`1663`	`1693`	`TSLexeme*`
`1664`	`1694`	`NINormalizeWord(IspellDictConf,charword)`
`1665`	`1695`	`{`
`@@ -1674,16 +1704,11 @@ NINormalizeWord(IspellDict Conf, char word)`
`1674`	`1704`	`{`
`1675`	`1705`	`char**ptr=res;`
`1676`	`1706`
`1677`		`-lcur=lres= (TSLexeme)palloc(MAX_NORMsizeof(TSLexeme));`
`1678`		`-while (*ptr)`
	`1707`	`+while (*ptr&& (lcur-lres)<MAX_NORM)`
`1679`	`1708`	`{`
`1680`		`-lcur->lexeme=*ptr;`
`1681`		`-lcur->flags=0;`
`1682`		`-lcur->nvariant=NVariant++;`
`1683`		`-lcur++;`
	`1709`	`+addNorm(&lres,&lcur,*ptr,0,NVariant++);`
`1684`	`1710`	`ptr++;`
`1685`	`1711`	`}`
`1686`		`-lcur->lexeme=NULL;`
`1687`	`1712`	`pfree(res);`
`1688`	`1713`	`}`
`1689`	`1714`
`@@ -1704,28 +1729,18 @@ NINormalizeWord(IspellDict Conf, char word)`
`1704`	`1729`	`{`
`1705`	`1730`	`char**subptr=subres;`
`1706`	`1731`
`1707`		`-if (!lcur)`
`1708`		`-lcur=lres= (TSLexeme)palloc(MAX_NORMsizeof(TSLexeme));`
`1709`		`-`
`1710`	`1732`	`while (*subptr)`
`1711`	`1733`	`{`
`1712`	`1734`	`for (i=0;i<var->nstem-1;i++)`
`1713`	`1735`	`{`
`1714`		`-lcur->lexeme= (subptr==subres) ?var->stem[i] :pstrdup(var->stem[i]);`
`1715`		`-lcur->flags=0;`
`1716`		`-lcur->nvariant=NVariant;`
`1717`		`-lcur++;`
	`1736`	`+addNorm(&lres,&lcur, (subptr==subres) ?var->stem[i] :pstrdup(var->stem[i]),0,NVariant);`
`1718`	`1737`	`}`
`1719`	`1738`
`1720`		`-lcur->lexeme=*subptr;`
`1721`		`-lcur->flags=0;`
`1722`		`-lcur->nvariant=NVariant;`
`1723`		`-lcur++;`
	`1739`	`+addNorm(&lres,&lcur,*subptr,0,NVariant);`
`1724`	`1740`	`subptr++;`
`1725`	`1741`	`NVariant++;`
`1726`	`1742`	`}`
`1727`	`1743`
`1728`		`-lcur->lexeme=NULL;`
`1729`	`1744`	`pfree(subres);`
`1730`	`1745`	`var->stem[0]=NULL;`
`1731`	`1746`	`pfree(var->stem[var->nstem-1]);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitcd42dd5

File tree

1 file changed

1 file changed

`‎src/backend/tsearch/spell.c`

0 commit comments