Thread: ECPG segfault

ECPG segfault

From
Jürgen Cappel
Date:
The code in ecpg/preproc/type.c has a problem when allocating
memory. I'm referring to the function ECPGdump_a_simple() where
one of the first actions is allocating memory and assigning it
to variable "offset". The amount of memory requested depends on
the size of the variable's name and the length of a fixed string.
The function has a parameter called "varcharsize" (array size string)
which is later used in the "case ECPGt_char:" where it is included
in an sprintf() to fill the allocated memory area. This leads to
a subsequent segmentation fault if "varcharsize" is not a simple
integer but maybe a cpp macro of some length, say, 20 bytes. At
least it *can* lead to a segfault, because you never know how and
when memory corruption strikes back on you ...

Using my example, things work well when allocating a few bytes more,
but i would suggest adding a strlen(varcharsize) instead of 1 byte
for allocation of "offset".

Comments are welcome !  Best regards, Jürgen Cappel

Oh, and btw thanks to valgrind for pointing me to that place :-)



Re: ECPG segfault

From
Michael Meskes
Date:
Thanks for hunting down this bug. Patch applied to HEAD and 7.4.

On Fri, Mar 26, 2004 at 01:26:28PM +0100, Jürgen Cappel wrote:
> Using my example, things work well when allocating a few bytes more,
> but i would suggest adding a strlen(varcharsize) instead of 1 byte
> for allocation of "offset".

Actually you need the 1 too. :-)

Michael
--
Michael Meskes
Email: Michael at Fam-Meskes dot De
ICQ: 179140304, AIM/Yahoo: michaelmeskes, Jabber: meskes@jabber.org
Go SF 49ers! Go Rhein Fire! Use Debian GNU/Linux! Use PostgreSQL!


Re: ECPG segfault

From
Bruce Momjian
Date:
Michael has fixed this in 7.4.X and CVS HEAD.  Thanks.

---------------------------------------------------------------------------

J�rgen Cappel wrote:
> The code in ecpg/preproc/type.c has a problem when allocating
> memory. I'm referring to the function ECPGdump_a_simple() where
> one of the first actions is allocating memory and assigning it
> to variable "offset". The amount of memory requested depends on
> the size of the variable's name and the length of a fixed string.
> The function has a parameter called "varcharsize" (array size string)
> which is later used in the "case ECPGt_char:" where it is included
> in an sprintf() to fill the allocated memory area. This leads to
> a subsequent segmentation fault if "varcharsize" is not a simple
> integer but maybe a cpp macro of some length, say, 20 bytes. At
> least it *can* lead to a segfault, because you never know how and
> when memory corruption strikes back on you ...
> 
> Using my example, things work well when allocating a few bytes more,
> but i would suggest adding a strlen(varcharsize) instead of 1 byte
> for allocation of "offset".
> 
> Comments are welcome !  Best regards, J?rgen Cappel
> 
> Oh, and btw thanks to valgrind for pointing me to that place :-)
> 
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
>     (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
> 

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073