| From: | Alexander Kuznetsov <kuznetsovam(at)altlinux(dot)org> |
|---|---|
| To: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Cc: | nickel(at)altlinux(dot)org, egori(at)altlinux(dot)org |
| Subject: | Detect buffer underflow in get_th() |
| Date: | 2024-07-24 09:43:19 |
| Message-ID: | e22df993-cdb4-4d0a-b629-42211ebed582@altlinux.org |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello everyone,
In src/backend/utils/adt/formatting.c:1516, there is a get_th() function utilized to return ST/ND/RD/TH suffixes for simple numbers.
Upon reviewing its behavior, it appears capable of receiving non-numeric inputs (this is verified by a check at formatting.c:1527).
Given that the function can accept non-numeric inputs,
it is plausible that it could also receive an empty input,
although a brief examination of its calls did not reveal any such instances.
Nevertheless, if the function were to receive an empty input of zero length,
a buffer underflow would occur when attempting to compute *(num + (len - 1)), as (len - 1) would result in a negative shift.
To mitigate this issue, I propose a patch incorporating the zero_length_character_string error code, as detailed in the attachment.
--
Best regards,
Alexander Kuznetsov
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Detect-buffer-underflow-in-get_th.patch | text/x-patch | 1.1 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Rowley | 2024-07-24 09:47:14 | Re: Parent/child context relation in pg_get_backend_memory_contexts() |
| Previous Message | Amit Kapila | 2024-07-24 09:26:27 | Re: Slow catchup of 2PC (twophase) transactions on replica in LR |