Re: BUG #16144: Segmentation fault on dict_int extension

On Mon, Dec 02, 2019 at 12:41:21PM +0000, PG Bug reporting form wrote:
>The following bug has been logged on the website:
>
>Bug reference: 16144
>Logged by: cili
>Email address: cilizili(at)protonmail(dot)com
>PostgreSQL version: 12.1
>Operating system: CentOS 7.4
>Description:
>
>The dict_int extension is an example of an add-on dictionary template for
>full-text search. The 'intdict' is a built-in dictionary. If we set MAXLEN
>parameter with negative value for the dictionary, ts_lexize function causes
>a segmentation fault. The negative limit for MAXLEN which causes
>segmentation fault is environment dependent.
>
># initdb
># pg_ctl -D /var/lib/pgsql/data -l logfile start
># psql
>
>postgres=# CREATE EXTENSION dict_int;
>CREATE EXTENSION
>postgres=# ALTER TEXT SEARCH DICTIONARY intdict (MAXLEN = -214783648);
>ALTER TEXT SEARCH DICTIONARY
>postgres=# select ts_lexize('intdict', '12345678');
>server closed the connection unexpectedly
> This probably means the server terminated abnormally
> before or while processing the request.
>The connection to the server was lost. Attempting reset: Failed.
>!>
>!>\q
>

Yeah, this seems to be a failure in evaluating maxlen parameter. It's
set to 6 by default, but we simply trust whatever value the user gives
us, and then we do this

txt[d->maxlen] = '\0';

which fails for obvious reasons.

Will fix by rejecting maxlen values less than 1. The docs don't say
which value should the the minimum, but 0 seems useless.

regards

--
Tomas Vondra http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services