Home > mailing lists

Re: BUG #17725: Sefault when seg_in() called with a large argument - Mailing list pgsql-bugs

From	Tom Lane
Subject	Re: BUG #17725: Sefault when seg_in() called with a large argument
Date	December 20, 2022 20:06:31
Msg-id	1181726.1671555991@sss.pgh.pa.us Whole thread Raw
In response to	Re: BUG #17725: Sefault when seg_in() called with a large argument (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-bugs

Tree view

I wrote:
> I don't see a crash either, but I can't help observing that this
> input leads to a "seg" struct with "-46" significant digits:
> ...
> So we're invoking sprintf with a fairly insane precision spec:

Actually, it looks like sprintf is not the problem.  This is:

(gdb) 
984                                             buf[10 + n] = '\0';
(gdb) p n
$9 = -46

So first off, we're stomping on something we shouldn't, and
secondly we're failing to nul-terminate buf[], which easily
explains your observed crash at the strcpy a little further
down.  On most platforms strcpy would find a nul byte not
too much further on, which might prevent the worst sorts
of damage, but this is still very ugly.

            regards, tom lane

pgsql-bugs by date:

From: Tom Lane
Date: 20 December 2022, 19:54:46
Subject: Re: BUG #17725: Sefault when seg_in() called with a large argument

From: Bowen Shi
Date: 21 December 2022, 08:15:32
Subject: Re: BUG #17716: walsender process hang while decoding 'DROP PUBLICATION' XLOG

Re: BUG #17725: Sefault when seg_in() called with a large argument - Mailing list pgsql-bugs

Previous

Next