[MASSMAIL] Fix out-of-bounds in the function PQescapeinternal (src/interfaces/libpq/fe-exec.c)

Поиск
Список
Период
Сортировка
От Ranier Vilela
Тема [MASSMAIL] Fix out-of-bounds in the function PQescapeinternal (src/interfaces/libpq/fe-exec.c)
Дата
Msg-id CAEudQAokoJFsNoDwOwbuLzBKP67nMhkL0Qe_1WztEfK1JAKDCg@mail.gmail.com
обсуждение исходный текст
Ответы Re: Fix out-of-bounds in the function PQescapeinternal (src/interfaces/libpq/fe-exec.c)  (Tom Lane <tgl@sss.pgh.pa.us>)
Список pgsql-hackers
Дерево обсуждения
Hi,

While I working in [1], Coverity reported some errors:

src/bin/pg_basebackup/pg_createsubscriber.c
CID 1542690: (#1 of 2): Out-of-bounds access (OVERRUN)
alloc_strlen: Allocating insufficient memory for the terminating null of the string. [Note: The source code implementation of the function has been overridden by a builtin model.]
CID 1542690: (#2 of 2): Out-of-bounds access (OVERRUN)
alloc_strlen: Allocating insufficient memory for the terminating null of the string. [Note: The source code implementation of the function has been overridden by a builtin model.]

I think that is right.

The source of errors is the function PQescapeInternal.
The slow path has bugs when num_quotes or num_backslashes are greater than zero.
For each num_quotes or num_backslahes we need to allocate two more.

Code were out-of-bounds it happens:
for (s = str; s - str < input_len; ++s)
{
if (*s == quote_char || (!as_ident && *s == '\\'))
{
*rp++ = *s;
*rp++ = *s;
}

Patch attached.

Best regards,
Ranier Vilela

[1] Re: Fix some resources leaks (src/bin/pg_basebackup/pg_createsubscriber.c)
Вложения

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Magnus Hagander
Дата:
Сообщение: Re: Statistics Import and Export
Следующее
От: Robert Haas
Дата:
Сообщение: Re: Combine Prune and Freeze records emitted by vacuum