From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | pgsql-committers(at)postgresql(dot)org |
Subject: | pgsql: Fix off-by-one loop count in MapArrayTypeName, and get rid of st |
Date: | 2014-12-16 20:36:14 |
Message-ID: | E1Y0yqs-0008VI-Fm@gemulon.postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers |
Fix off-by-one loop count in MapArrayTypeName, and get rid of static array.
MapArrayTypeName would copy up to NAMEDATALEN-1 bytes of the base type
name, which of course is wrong: after prepending '_' there is only room for
NAMEDATALEN-2 bytes. Aside from being the wrong result, this case would
lead to overrunning the statically allocated work buffer. This would be a
security bug if the function were ever used outside bootstrap mode, but it
isn't, at least not in any currently supported branches.
Aside from fixing the off-by-one loop logic, this patch gets rid of the
static work buffer by having MapArrayTypeName pstrdup its result; the sole
caller was already doing that, so this just requires moving the pstrdup
call. This saves a few bytes but mainly it makes the API a lot cleaner.
Back-patch on the off chance that there is some third-party code using
MapArrayTypeName with less-secure input. Pushing pstrdup into the function
should not cause any serious problems for such hypothetical code; at worst
there might be a short term memory leak.
Per Coverity scanning.
Branch
------
REL9_3_STABLE
Details
-------
http://git.postgresql.org/pg/commitdiff/53960e7eb34618c96f4d17216e6a3f92ac98c749
Modified Files
--------------
src/backend/bootstrap/bootscanner.l | 2 +-
src/backend/bootstrap/bootstrap.c | 31 +++++++++++++------------------
src/include/bootstrap/bootstrap.h | 2 +-
3 files changed, 15 insertions(+), 20 deletions(-)
From | Date | Subject | |
---|---|---|---|
Next Message | pgsql | 2014-12-16 23:54:44 | pgsql: Tag refs/tags/REL9_4_0 was created |
Previous Message | Tom Lane | 2014-12-16 19:54:05 | pgsql: Suppress bogus statistics when pgbench failed to complete any tr |