From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Robins Tharakan <tharakan(at)gmail(dot)com> |
Cc: | John Naylor <john(dot)naylor(at)enterprisedb(dot)com>, pgsql-bugs(at)lists(dot)postgresql(dot)org |
Subject: | Re: BUG #17725: Sefault when seg_in() called with a large argument |
Date: | 2022-12-20 17:06:31 |
Message-ID: | 1181726.1671555991@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
I wrote:
> I don't see a crash either, but I can't help observing that this
> input leads to a "seg" struct with "-46" significant digits:
> ...
> So we're invoking sprintf with a fairly insane precision spec:
Actually, it looks like sprintf is not the problem. This is:
(gdb)
984 buf[10 + n] = '\0';
(gdb) p n
$9 = -46
So first off, we're stomping on something we shouldn't, and
secondly we're failing to nul-terminate buf[], which easily
explains your observed crash at the strcpy a little further
down. On most platforms strcpy would find a nul byte not
too much further on, which might prevent the worst sorts
of damage, but this is still very ugly.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Bowen Shi | 2022-12-21 05:15:32 | Re: BUG #17716: walsender process hang while decoding 'DROP PUBLICATION' XLOG |
Previous Message | Tom Lane | 2022-12-20 16:54:46 | Re: BUG #17725: Sefault when seg_in() called with a large argument |