database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-04-29 13:56:47 +03:00
Code

Fix potential access-off-the-end-of-memory in varbit_out(): it fetched the

Browse Source 
byte after the last full byte of the bit array, regardless of whether that
byte was part of the valid data or not.  Found by buildfarm testing.
Thanks to Stefan Kaltenbrunner for nailing down the cause.
This commit is contained in:
Tom Lane 2007-08-21 02:40:12 +00:00
parent 37b57f1186
commit c40f60db3f
1 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/backend/utils/adt/varbit.c
View File

@ -9,7 +9,7 @@
* Portions Copyright (c) 1994, Regents of the University of California * Portions Copyright (c) 1994, Regents of the University of California
* *
* IDENTIFICATION * IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/utils/adt/varbit.c,v 1.50 2006/07/14 14:52:24 momjian Exp $ * $PostgreSQL: pgsql/src/backend/utils/adt/varbit.c,v 1.50.2.1 2007/08/21 02:40:12 tgl Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
@ -468,8 +468,9 @@ varbit_out(PG_FUNCTION_ARGS)
result = (char *) palloc(len + 1); result = (char *) palloc(len + 1);
sp = VARBITS(s); sp = VARBITS(s);
r = result; r = result;
for (i = 0; i < len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++) for (i = 0; i <= len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++)
{ {
/* print full bytes */
x = *sp; x = *sp;
for (k = 0; k < BITS_PER_BYTE; k++) for (k = 0; k < BITS_PER_BYTE; k++)
{ {
@ -477,11 +478,15 @@ varbit_out(PG_FUNCTION_ARGS)
x <<= 1; x <<= 1;
} }
} }
x = *sp; if (i < len)
for (k = i; k < len; k++)
{ {
*r++ = IS_HIGHBIT_SET(x) ? '1' : '0'; /* print the last partial byte */
x <<= 1; x = *sp;
for (k = i; k < len; k++)
{
*r++ = IS_HIGHBIT_SET(x) ? '1' : '0';
x <<= 1;
}
} }
*r = '\0'; *r = '\0';