From: | Aleksander Alekseev <aleksander(at)timescale(dot)com> |
---|---|
To: | Spyridon Dimitrios Agathos <spyridon(dot)dimitrios(dot)agathos(at)gmail(dot)com> |
Cc: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Bug: Reading from single byte character column type may cause out of bounds memory reads. |
Date: | 2022-07-13 13:14:39 |
Message-ID: | CAJ7c6TNguAKGcYxk=SHGvGAGfdrx_2DP5bvtDNu+eQ+3kDbt7w@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi Spyridon,
> The column "single_byte_col" is supposed to store only 1 byte. Nevertheless, the INSERT command implicitly casts the 'đ' text into "char". This means that only the first byte of 'đ' ends up stored in the column.
> gdb reports that "pg_mblen(p) = 4" (line 1046), which is expected since the pg_mblen('đ') is indeed 4. Later at line 1050, the memcpy will copy 4 bytes instead of 1, hence an out of bounds memory read happens for pointer 's', which effectively copies random bytes.
Many thanks for reporting this!
> - OS: Ubuntu 20.04
> - PSQL version 14.4
I can confirm the bug exists in the `master` branch as well and
doesn't depend on the platform.
Although the bug is easy to fix for this particular case (see the
patch) I'm not sure if this solution is general enough. E.g. is there
something that generally prevents pg_mblen() from doing out of bound
reading in cases similar to this one? Should we prevent such an INSERT
from happening instead?
--
Best regards,
Aleksander Alekseev
Attachment | Content-Type | Size |
---|---|---|
v1-0001-Fix-out-of-bounds-memory-reads-in-text_substring.patch | application/octet-stream | 2.1Â KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Jonathan S. Katz | 2022-07-13 13:23:00 | Re: PG15 beta1 sort performance regression due to Generation context change |
Previous Message | Alexander Korotkov | 2022-07-13 12:37:04 | Re: Building PostgreSQL in external directory is broken? |