Possible memory corruption (src/timezone/zic.c b/src/timezone/zic.c) - Mailing list pgsql-hackers

From Ranier Vilela
Subject Possible memory corruption (src/timezone/zic.c b/src/timezone/zic.c)
Date
Msg-id CAEudQApPZCp12sc6Uu+V6WjNHQD4N3b0w7img99K8Eehoy5OAA@mail.gmail.com
Whole thread Raw
Responses Re: Possible memory corruption (src/timezone/zic.c b/src/timezone/zic.c)
List pgsql-hackers
Hi,

Per Coverity.
CID 1412632 (#1 of 1): Out-of-bounds access (OVERRUN)1.
overrun-buffer-val: Overrunning buffer pointed to by &c of 1 bytes by passing it to a function which accesses it at byte offset 4.

For some people, Coverity opinions count zero.
Who knows for others, it helps.

It doesn't matter if WideCharToMultiByte, it will fail or not, the danger exists.
If WideCharToMultiByte returns 4, memmove will possibly destroy 4 bytes.

The fix, use of the traditional and bogus C style, without tricks.

diff --git a/src/timezone/zic.c b/src/timezone/zic.c
index 0ea6ead2db..a5f7e7f1cd 100644
--- a/src/timezone/zic.c
+++ b/src/timezone/zic.c
@@ -1129,9 +1129,9 @@ static bool
 itssymlink(char const *name)
 {
 #ifdef HAVE_SYMLINK
- char c;
+ char linkpath[MAXPGPATH];
 
- return 0 <= readlink(name, &c, 1);
+ return 0 <= readlink(name, linkpath, sizeof(linkpath));
 #else
  return false;
 #endif

regards,
Ranier Vilela

Attachment

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Some other CLOBBER_CACHE_ALWAYS culprits
Next
From: Robert Haas
Date:
Subject: Re: Race condition in recovery?