From cb0a229be59dffe09cc0ceceececdbd06a559d3f Mon Sep 17 00:00:00 2001 From: Georgios Kokolatos Date: Mon, 8 May 2023 11:58:57 +0000 Subject: [PATCH v2] Null terminate the output buffer of LZ4Stream_gets LZ4Stream_gets did not null terminate its output buffer. Its callers expected the buffer to be null terminated so they passed it around to functions such as sscanf with unintended consequences. Reported-by: Alexander Lakhin --- src/bin/pg_dump/compress_lz4.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/bin/pg_dump/compress_lz4.c b/src/bin/pg_dump/compress_lz4.c index 423e1b7976..f97b7550d1 100644 --- a/src/bin/pg_dump/compress_lz4.c +++ b/src/bin/pg_dump/compress_lz4.c @@ -459,6 +459,10 @@ LZ4Stream_read_internal(LZ4State *state, void *ptr, int ptrsize, bool eol_flag) if (!LZ4Stream_init(state, size, false /* decompressing */ )) return -1; + /* No work needs to be done for a zero-sized output buffer */ + if (size <= 0) + return 0; + /* Verify that there is enough space in the outbuf */ if (size > state->buflen) { @@ -636,7 +640,7 @@ LZ4Stream_gets(char *ptr, int size, CompressFileHandle *CFH) LZ4State *state = (LZ4State *) CFH->private_data; int ret; - ret = LZ4Stream_read_internal(state, ptr, size, true); + ret = LZ4Stream_read_internal(state, ptr, size - 1, true); if (ret < 0 || (ret == 0 && !LZ4Stream_eof(CFH))) pg_fatal("could not read from input file: %s", LZ4Stream_get_error(CFH)); @@ -644,6 +648,12 @@ LZ4Stream_gets(char *ptr, int size, CompressFileHandle *CFH) if (ret == 0) return NULL; + /* + * Our caller expects the return string to be NULL terminated + * and we know that ret is greater than zero. + */ + ptr[ret - 1] = '\0'; + return ptr; } -- 2.34.1