Home > mailing lists

CID 1428952 (#1 of 1): Out-of-bounds access (OVERRUN) (src/backend/commands/async.c) - Mailing list pgsql-hackers

From	Ranier Vilela
Subject	CID 1428952 (#1 of 1): Out-of-bounds access (OVERRUN) (src/backend/commands/async.c)
Date	July 18, 2020 17:34:54
Msg-id	CAEudQAq5jaRB01ZpmkXOVNSjm92cru1gvuAKG6Fu686wLo7Nbw@mail.gmail.com Whole thread Raw
Responses	Re: CID 1428952 (#1 of 1): Out-of-bounds access (OVERRUN) (src/backend/commands/async.c)
List	pgsql-hackers

Tree view

Hi Tom,

Can you take a look?

Per Coverity.

There is something wrong with the definition of QUEUE_PAGESIZE on async.c

1. #define QUEUE_PAGESIZE BLCKSZ
2. BLCKSZ is 8192
3..sizeof(AsyncQueueControl) is 8080, according to Coverity (Windows 64 bits)

4. (Line 1508) qe.length = QUEUE_PAGESIZE - offset;

5. offset is zero

6. qe.length is 8192

/* Now copy qe into the shared buffer page */
memcpy(NotifyCtl->shared->page_buffer[slotno] + offset,
&qe,
qe.length);

CID 1428952 (#1 of 1): Out-of-bounds access (OVERRUN) at line 1515, with memcpy call.

9. overrun-buffer-arg: Overrunning struct type AsyncQueueEntry of 8080 bytes by passing it to a function which accesses it at byte offset 8191 using argument qe.length (which evaluates to 8192).

Question:

1. NotifyCtl->shared->page_buffer[slotno] is really struct type AsyncQueueEntry?

regards,

Ranier Vilela

pgsql-hackers by date:

From: Tom Lane
Date: 18 July 2020, 17:06:13
Subject: Re: Wrong results from in_range() tests with infinite offset

From: Rémi Lapeyre
Date: 18 July 2020, 18:25:55
Subject: Re: Add header support to text format and matching feature

CID 1428952 (#1 of 1): Out-of-bounds access (OVERRUN) (src/backend/commands/async.c) - Mailing list pgsql-hackers

Previous

Next