From 267eb954cc96210985426aa31142ead37bfdc62c Mon Sep 17 00:00:00 2001 From: Tomas Vondra Date: Tue, 3 Dec 2019 16:55:51 +0100 Subject: [PATCH] Ensure maxlen is at leat 1 in dict_int The dict_int text search dictionary template accepts maxlen parameter, which is then used to cap the length of input strings. The value was not properly checked, and the code simply does txt[d->maxlen] = '\0'; to insert a terminator, leading to segfaults with negative values. This commit simply rejects values less than 1. The issue was there since dct_int was introduced in 9.3, so backpatch all the way back to 9.4 which is the oldest supported version. Reported-by: cili Discussion: https://postgr.es/m/16144-a36a5bef7657047d@postgresql.org Backpatch-through: 9.4 --- contrib/dict_int/dict_int.c | 5 +++++ contrib/dict_int/expected/dict_int.out | 2 ++ contrib/dict_int/sql/dict_int.sql | 2 ++ 3 files changed, 9 insertions(+) diff --git a/contrib/dict_int/dict_int.c b/contrib/dict_int/dict_int.c index 56ede37089e..13b5696d83c 100644 --- a/contrib/dict_int/dict_int.c +++ b/contrib/dict_int/dict_int.c @@ -45,6 +45,11 @@ dintdict_init(PG_FUNCTION_ARGS) if (strcmp(defel->defname, "maxlen") == 0) { d->maxlen = atoi(defGetString(defel)); + + if (d->maxlen < 1) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("maxlen value has to be >= 1"))); } else if (strcmp(defel->defname, "rejectlong") == 0) { diff --git a/contrib/dict_int/expected/dict_int.out b/contrib/dict_int/expected/dict_int.out index 3b766ec52ad..483e700d231 100644 --- a/contrib/dict_int/expected/dict_int.out +++ b/contrib/dict_int/expected/dict_int.out @@ -300,3 +300,5 @@ select ts_lexize('intdict', '314532610153'); {314532} (1 row) +ALTER TEXT SEARCH DICTIONARY intdict (MAXLEN = -214783648); +ERROR: maxlen value has to be >= 1 diff --git a/contrib/dict_int/sql/dict_int.sql b/contrib/dict_int/sql/dict_int.sql index 8ffec6b7708..5c27accff4a 100644 --- a/contrib/dict_int/sql/dict_int.sql +++ b/contrib/dict_int/sql/dict_int.sql @@ -51,3 +51,5 @@ select ts_lexize('intdict', '252281774'); select ts_lexize('intdict', '313425'); select ts_lexize('intdict', '641439323669'); select ts_lexize('intdict', '314532610153'); + +ALTER TEXT SEARCH DICTIONARY intdict (MAXLEN = -214783648);