| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | vyegorov(at)gmail(dot)com |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #17474: Segmentation fault from INSERT ( JumbleExpr ) |
| Date: | 2022-05-05 15:12:36 |
| Message-ID: | 2689773.1651763556@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
PG Bug reporting form <noreply(at)postgresql(dot)org> writes:
> (gdb) bt
> #0 0x000056397d94c297 in memcpy (__len=1016, __src=<optimized out>,
> __dest=<optimized out>) at
> /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
> #1 AppendJumble (item=<optimized out>, item(at)entry=0x7f403929afd8 "u",
> size=30595144541, size(at)entry=4, jstate=<optimized out>, jstate=<optimized
> out>) at ./build/../src/backend/utils/misc/queryjumble.c:213
If we take that at face value --- which isn't a very safe assumption when
dealing with optimized code --- it suggests that the loop in AppendJumble
has gone crazy and allowed "size" to wrap around to some large value.
If that happened then it'd iterate until "item" advances off the end of
memory and you get SIGSEGV.
I don't see how that could possibly happen though, short of a compiler
bug:
while (size > 0)
{
Size part_size;
...
part_size = Min(size, JUMBLE_SIZE - jumble_len);
...
size -= part_size;
}
How could the value of part_size exceed size?
I've spent time staring at that code before, because Coverity regularly
whines about queryjumble.c in terms suggesting that it sees a potential
for exactly this kind of bug. But I sure don't see it.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jobin Augustine | 2022-05-05 15:49:03 | Security Definer functions no longer works in PG14+ |
| Previous Message | Victor Yegorov | 2022-05-05 14:34:40 | Re: BUG #17474: Segmentation fault from INSERT ( JumbleExpr ) |