Hi, everyone.
I have found a potential memory access violation in ecpg module. And I found that this problem happens in all postgres version.
Here is:
https://github.com/postgres/postgres/blob/REL9_5_16/src/interfaces/ecpg/preproc/pgc.l
----------------------------------------------------------------------------------------------------------------------------
1385 /* If file name is enclosed in '"' remove these and look only in '.' */
1386 /* Informix does look into all include paths though, except filename starts with '/' */
1387 if (yytext[0] == '"' && yytext[i] == '"' &&
1388 ((compat != ECPG_COMPAT_INFORMIX && compat != ECPG_COMPAT_INFORMIX_SE) || yytext[1] == '/'))
1389 {
1390 yytext[i] = '\0';
1391 memmove(yytext, yytext+1, strlen(yytext));
1392
1393 strlcpy(inc_file, yytext, sizeof(inc_file));
1394 yyin = fopen(inc_file, "r");
1395 if (!yyin)
1396 {
1397 if (strcmp(inc_file + strlen(inc_file) - 2, ".h") != 0) ★
1398 {
1399 strcat(inc_file, ".h");
1400 yyin = fopen(inc_file, "r");
1401 }
1402 }
1403
1404 }
----------------------------------------------------------------------------------------------------------------------------
When precompile ecpg program (running “ecpg xxx.pgc” is enough )which has below statement:
------------------------------------
EXEC SQL INCLUDE “a”
------------------------------------
(Here, “a” is short for “a.h” , this feature is documented at https://www.postgresql.org/docs/9.5/ecpg-preproc.html#ECPG-INCLUDE )
The ecpg command runs into above program fragment and inc_file’s value is string “a” which strlen(inc_file) is 1.
Here, ecpg first try to open head file named “a”,which does not exists. Obviously, failed.
Then,ecpg try to find out that if the given filename “a” has suffix “.h” in code line marked as ★ above.
Here, strlen(inc_file) is 1 ,so ecpg access the address inc_file �C 1 . That means access the address out of inc_file.
It obviously is a potential problem which may does not lead to error or crash in most time.But it is a hidden danger which should be fixed.
Last, it is easy to fix, here is a minimum reproduction case and a solution patch.
--
Best Regards
-----------------------------------------------------
Wu Fei
DX3
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
ADDR.: No.6 Wenzhu Road, Software Avenue,
Nanjing, 210012, China
TEL : +86+25-86630566-9356
COINS: 7998-9356
FAX: +86+25-83317685
MAIL:wufei.fnst@cn.fujitsu.com
http://www.fujitsu.com/cn/fnst/
---------------------------------------------------