mirror of
				https://github.com/postgres/postgres.git
				synced 2025-10-24 01:29:19 +03:00 
			
		
		
		
	Fix off-by-one loop count in MapArrayTypeName, and get rid of static array.
MapArrayTypeName would copy up to NAMEDATALEN-1 bytes of the base type name, which of course is wrong: after prepending '_' there is only room for NAMEDATALEN-2 bytes. Aside from being the wrong result, this case would lead to overrunning the statically allocated work buffer. This would be a security bug if the function were ever used outside bootstrap mode, but it isn't, at least not in any currently supported branches. Aside from fixing the off-by-one loop logic, this patch gets rid of the static work buffer by having MapArrayTypeName pstrdup its result; the sole caller was already doing that, so this just requires moving the pstrdup call. This saves a few bytes but mainly it makes the API a lot cleaner. Back-patch on the off chance that there is some third-party code using MapArrayTypeName with less-secure input. Pushing pstrdup into the function should not cause any serious problems for such hypothetical code; at worst there might be a short term memory leak. Per Coverity scanning.
This commit is contained in:
		| @@ -105,7 +105,7 @@ insert			{ return(INSERT_TUPLE); } | |||||||
| "toast"			{ return(XTOAST); } | "toast"			{ return(XTOAST); } | ||||||
|  |  | ||||||
| {arrayid}		{ | {arrayid}		{ | ||||||
| 					yylval.str = pstrdup(MapArrayTypeName(yytext)); | 					yylval.str = MapArrayTypeName(yytext); | ||||||
| 					return(ID); | 					return(ID); | ||||||
| 				} | 				} | ||||||
| {id}			{ | {id}			{ | ||||||
|   | |||||||
| @@ -1026,38 +1026,33 @@ AllocateAttribute(void) | |||||||
| 	return attribute; | 	return attribute; | ||||||
| } | } | ||||||
|  |  | ||||||
| /* ---------------- | /* | ||||||
|  *		MapArrayTypeName |  *		MapArrayTypeName | ||||||
|  * XXX arrays of "basetype" are always "_basetype". |  | ||||||
|  *	   this is an evil hack inherited from rel. 3.1. |  | ||||||
|  * XXX array dimension is thrown away because we |  | ||||||
|  *	   don't support fixed-dimension arrays.  again, |  | ||||||
|  *	   sickness from 3.1. |  | ||||||
|  * |  * | ||||||
|  * the string passed in must have a '[' character in it |  * Given a type name, produce the corresponding array type name by prepending | ||||||
|  |  * '_' and truncating as needed to fit in NAMEDATALEN-1 bytes.  This is only | ||||||
|  |  * used in bootstrap mode, so we can get away with assuming that the input is | ||||||
|  |  * ASCII and we don't need multibyte-aware truncation. | ||||||
|  * |  * | ||||||
|  * the string returned is a pointer to static storage and should NOT |  * The given string normally ends with '[]' or '[digits]'; we discard that. | ||||||
|  * be freed by the CALLER. |  * | ||||||
|  * ---------------- |  * The result is a palloc'd string. | ||||||
|  */ |  */ | ||||||
| char * | char * | ||||||
| MapArrayTypeName(char *s) | MapArrayTypeName(const char *s) | ||||||
| { | { | ||||||
| 	int			i, | 	int			i, | ||||||
| 				j; | 				j; | ||||||
| 	static char newStr[NAMEDATALEN];	/* array type names < NAMEDATALEN long */ | 	char		newStr[NAMEDATALEN]; | ||||||
|  |  | ||||||
| 	if (s == NULL || s[0] == '\0') |  | ||||||
| 		return s; |  | ||||||
|  |  | ||||||
| 	j = 1; |  | ||||||
| 	newStr[0] = '_'; | 	newStr[0] = '_'; | ||||||
| 	for (i = 0; i < NAMEDATALEN - 1 && s[i] != '['; i++, j++) | 	j = 1; | ||||||
|  | 	for (i = 0; i < NAMEDATALEN - 2 && s[i] != '['; i++, j++) | ||||||
| 		newStr[j] = s[i]; | 		newStr[j] = s[i]; | ||||||
|  |  | ||||||
| 	newStr[j] = '\0'; | 	newStr[j] = '\0'; | ||||||
|  |  | ||||||
| 	return newStr; | 	return pstrdup(newStr); | ||||||
| } | } | ||||||
|  |  | ||||||
|  |  | ||||||
|   | |||||||
| @@ -40,7 +40,7 @@ extern void InsertOneTuple(Oid objectid); | |||||||
| extern void InsertOneValue(char *value, int i); | extern void InsertOneValue(char *value, int i); | ||||||
| extern void InsertOneNull(int i); | extern void InsertOneNull(int i); | ||||||
|  |  | ||||||
| extern char *MapArrayTypeName(char *s); | extern char *MapArrayTypeName(const char *s); | ||||||
|  |  | ||||||
| extern void index_register(Oid heap, Oid ind, IndexInfo *indexInfo); | extern void index_register(Oid heap, Oid ind, IndexInfo *indexInfo); | ||||||
| extern void build_indices(void); | extern void build_indices(void); | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user