| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Flavien GUEDEZ <flav(dot)pg(at)oopacity(dot)net> |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Insufficient memory access checks in pglz_decompress |
| Date: | 2023-10-18 15:14:27 |
| Message-ID: | 3116807.1697642067@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Flavien GUEDEZ <flav(dot)pg(at)oopacity(dot)net> writes:
> After some investigations about very corrupted toast data in one
> postgres instance, I found that the pglz_decompress function (in
> common/pg_lzcompress.c) does not check correctly where it copies data
> from using memcpy(), which could result in segfault.
> In this function, there are other checks to ensure that we do not copy
> after the destination end, but not if we copy data from "before the
> beginning".
Hmm, would it not be better to add this check to the existing "Check for
corrupt data" a bit further up? Then you'd only need one instance of
the test, and only need to do it once per tag (note the comment pointing
out that dp - off stays the same), and overall it'd be less surprising IMO.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Flavien GUEDEZ | 2023-10-18 16:46:56 | Re: Insufficient memory access checks in pglz_decompress |
| Previous Message | Flavien GUEDEZ | 2023-10-18 14:21:57 | Insufficient memory access checks in pglz_decompress |