| From: | Flavien GUEDEZ <flav(dot)pg(at)oopacity(dot)net> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Insufficient memory access checks in pglz_decompress |
| Date: | 2023-10-18 16:46:56 |
| Message-ID: | bb74b9f4-65c1-4d89-af20-7de623948e36@oopacity.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Thanks for your feedback, you are definitely right, I did not notice
that (dp - off) was staying the same in the while loop.
Here is another much smaller patch.
Flavien
Le 18/10/2023 à 17:14, Tom Lane a écrit :
> Flavien GUEDEZ <flav(dot)pg(at)oopacity(dot)net> writes:
>> After some investigations about very corrupted toast data in one
>> postgres instance, I found that the pglz_decompress function (in
>> common/pg_lzcompress.c) does not check correctly where it copies data
>> from using memcpy(), which could result in segfault.
>> In this function, there are other checks to ensure that we do not copy
>> after the destination end, but not if we copy data from "before the
>> beginning".
> Hmm, would it not be better to add this check to the existing "Check for
> corrupt data" a bit further up? Then you'd only need one instance of
> the test, and only need to do it once per tag (note the comment pointing
> out that dp - off stays the same), and overall it'd be less surprising IMO.
>
> regards, tom lane
| Attachment | Content-Type | Size |
|---|---|---|
| v2-pglz_decompress_check_for_corrupted.patch | text/x-patch | 549 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | PG Bug reporting form | 2023-10-18 17:01:32 | BUG #18160: first create table show "ERROR: permission denied for schema public", next create table works |
| Previous Message | Tom Lane | 2023-10-18 15:14:27 | Re: Insufficient memory access checks in pglz_decompress |