Postgres Pro
Downloads
Home   >   mailing lists

[MASSMAIL] Fix out-of-bounds in the function PQescapeinternal (src/interfaces/libpq/fe-exec.c) - Mailing list pgsql-hackers

From Ranier Vilela
Subject [MASSMAIL] Fix out-of-bounds in the function PQescapeinternal (src/interfaces/libpq/fe-exec.c)
Date
Msg-id CAEudQAokoJFsNoDwOwbuLzBKP67nMhkL0Qe_1WztEfK1JAKDCg@mail.gmail.com
Whole thread Raw
Responses Re: Fix out-of-bounds in the function PQescapeinternal (src/interfaces/libpq/fe-exec.c)
List pgsql-hackers
Tree view
Hi,

While I working in [1], Coverity reported some errors:

src/bin/pg_basebackup/pg_createsubscriber.c
CID 1542690: (#1 of 2): Out-of-bounds access (OVERRUN)
alloc_strlen: Allocating insufficient memory for the terminating null of the string. [Note: The source code implementation of the function has been overridden by a builtin model.]
CID 1542690: (#2 of 2): Out-of-bounds access (OVERRUN)
alloc_strlen: Allocating insufficient memory for the terminating null of the string. [Note: The source code implementation of the function has been overridden by a builtin model.]

I think that is right.

The source of errors is the function PQescapeInternal.
The slow path has bugs when num_quotes or num_backslashes are greater than zero.
For each num_quotes or num_backslahes we need to allocate two more.

Code were out-of-bounds it happens:
for (s = str; s - str < input_len; ++s)
{
if (*s == quote_char || (!as_ident && *s == '\\'))
{
*rp++ = *s;
*rp++ = *s;
}

Patch attached.

Best regards,
Ranier Vilela

[1] Re: Fix some resources leaks (src/bin/pg_basebackup/pg_createsubscriber.c)
Attachment

pgsql-hackers by date:

Previous
From: Magnus Hagander
Date:
Subject: Re: Statistics Import and Export
Next
From: Robert Haas
Date:
Subject: Re: Combine Prune and Freeze records emitted by vacuum