The following bug has been logged on the website:
Bug reference: 15104
Logged by: Pan Bian
Email address: bianpan2016@163.com
PostgreSQL version: 10.3
Operating system: Linux
Description:
File: src/interfaces/ecpg/preproc/ecpg.c
Function: main()
Details: In function main(), the memory hold by variable output_filename is
freed at line 329. It then tries to parse the next command option. The freed
memory will be freed again at line 478 if a crafted option bypass the memory
allocation at line 316. I think set output_filename to NULL after the free
operation at line 329 will fix the issue.
For your convenience, I paste related bugs as follows:
116 main(int argc, char *const argv[])
117 {
...
157 output_filename = NULL;
265 if (optind >= argc) /* no files specified */
266 {
267 fprintf(stderr, _("%s: no input files specified\n"),
progname);
268 fprintf(stderr, _("Try \"%s --help\" for more information.\n"),
argv[0]);
269 return (ILLEGAL_OPTION);
270 }
271 else
272 {
273 /* after the options there must not be anything but filenames
*/
274 for (fnr = optind; fnr < argc; fnr++)
275 {
...
310 if (out_option == 0) /* calculate the output name */
311 {
312 if (strcmp(input_filename, "stdin") == 0)
313 base_yyout = stdout;
314 else
315 {
316 output_filename = mm_alloc(strlen(input_filename) +
3);
317 strcpy(output_filename, input_filename);
318
319 ptr2ext = strrchr(output_filename, '.');
320 /* make extension = .c resp. .h */
321 ptr2ext[1] = (header_mode == true) ? 'h' : 'c';
322 ptr2ext[2] = '\0';
323
324 base_yyout = fopen(output_filename, PG_BINARY_W);
325 if (base_yyout == NULL)
326 {
327 fprintf(stderr, _("%s: could not open file
\"%s\": %s\n"),
328 progname, output_filename,
strerror(errno));
329 free(output_filename);
330 free(input_filename);
331 continue;
332 }
333 }
334 }
...
477 if (output_filename && out_option == 0)
478 free(output_filename);
479
480 free(input_filename);
481 }
482 }
483 return ret_value;
484 }
Thanks!
