Following function crashes plpython on x86-64 / gcc 4.1.2 / debian 4.0:
CREATE FUNCTION crashme(str_len integer)
RETURNS text AS $$
raise Exception("X" * str_len)
$$ LANGUAGE plpythonu;
SELECT crashme(1000);
Problem turns out to be va_list handling in PLy_vprintf() which
uses same va_list repeatedly. Fix is to va_copy to temp variable.
Additionally the atteched patch fixes 2 more problems in that function:
- its nonsensical to check existing buffer length for >0, instead the
function result should be checked. (which for vsnprintf() should
always be > 0, but maybe there are non-standard systems out there?)
- the * sizeof(char) in malloc() is pointless - even if we want to support
systems where sizeof(char) != 1, current code is wrong as from by reading
of manpage, vsnprintf() takes buffer length in bytes but returns chars,
so the 'blen' must be bytes anyway and the sizeof(char) must be in line:
blen = bchar + 1;
The function seems to be essentially same since 7.2 so the patch should
apply to all branches. If you prefer you can apply cleanups to HEAD only.
--
marko
