| From: | Ranier Vilela <ranier(dot)vf(at)gmail(dot)com> |
|---|---|
| To: | Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Fix out-of-bounds in the function PQescapeinternal (src/interfaces/libpq/fe-exec.c) |
| Date: | 2024-03-30 11:36:55 |
| Message-ID: | CAEudQAokoJFsNoDwOwbuLzBKP67nMhkL0Qe_1WztEfK1JAKDCg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
While I working in [1], Coverity reported some errors:
src/bin/pg_basebackup/pg_createsubscriber.c
CID 1542690: (#1 of 2): Out-of-bounds access (OVERRUN)
alloc_strlen: Allocating insufficient memory for the terminating null of
the string. [Note: The source code implementation of the function has been
overridden by a builtin model.]
CID 1542690: (#2 of 2): Out-of-bounds access (OVERRUN)
alloc_strlen: Allocating insufficient memory for the terminating null of
the string. [Note: The source code implementation of the function has been
overridden by a builtin model.]
I think that is right.
The source of errors is the function PQescapeInternal.
The slow path has bugs when num_quotes or num_backslashes are greater than
zero.
For each num_quotes or num_backslahes we need to allocate two more.
Code were out-of-bounds it happens:
for (s = str; s - str < input_len; ++s)
{
if (*s == quote_char || (!as_ident && *s == '\\'))
{
*rp++ = *s;
*rp++ = *s;
}
Patch attached.
Best regards,
Ranier Vilela
[1] Re: Fix some resources leaks
(src/bin/pg_basebackup/pg_createsubscriber.c)
<https://www.postgresql.org/message-id/CAEudQAqQHGrhmY3%2BrgdqJLM-76sozLm__0_NSJetuQHsa%2Bd41Q%40mail.gmail.com>
| Attachment | Content-Type | Size |
|---|---|---|
| fix-out-of-bouds-libpqinternal.patch | application/octet-stream | 685 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2024-03-30 12:00:23 | Re: Combine Prune and Freeze records emitted by vacuum |
| Previous Message | Magnus Hagander | 2024-03-30 11:26:59 | Re: Statistics Import and Export |