diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2007-08-21 02:40:12 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2007-08-21 02:40:12 +0000 |
| commit | c40f60db3f8cc482b91be9a641ef69ff58666070 (patch) | |
| tree | 032c829d92f81e596f70b75314a655c3ac285847 | |
| parent | 37b57f118663d33583454ea7b01fc6db42deb219 (diff) | |
| download | postgresql-c40f60db3f8cc482b91be9a641ef69ff58666070.tar.gz postgresql-c40f60db3f8cc482b91be9a641ef69ff58666070.zip | |
Fix potential access-off-the-end-of-memory in varbit_out(): it fetched the
byte after the last full byte of the bit array, regardless of whether that
byte was part of the valid data or not. Found by buildfarm testing.
Thanks to Stefan Kaltenbrunner for nailing down the cause.
| -rw-r--r-- | src/backend/utils/adt/varbit.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/src/backend/utils/adt/varbit.c b/src/backend/utils/adt/varbit.c index e0a67d340ef..e89e2bf323d 100644 --- a/src/backend/utils/adt/varbit.c +++ b/src/backend/utils/adt/varbit.c @@ -9,7 +9,7 @@ * Portions Copyright (c) 1994, Regents of the University of California * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/utils/adt/varbit.c,v 1.50 2006/07/14 14:52:24 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/utils/adt/varbit.c,v 1.50.2.1 2007/08/21 02:40:12 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -468,8 +468,9 @@ varbit_out(PG_FUNCTION_ARGS) result = (char *) palloc(len + 1); sp = VARBITS(s); r = result; - for (i = 0; i < len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++) + for (i = 0; i <= len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++) { + /* print full bytes */ x = *sp; for (k = 0; k < BITS_PER_BYTE; k++) { @@ -477,11 +478,15 @@ varbit_out(PG_FUNCTION_ARGS) x <<= 1; } } - x = *sp; - for (k = i; k < len; k++) + if (i < len) { - *r++ = IS_HIGHBIT_SET(x) ? '1' : '0'; - x <<= 1; + /* print the last partial byte */ + x = *sp; + for (k = i; k < len; k++) + { + *r++ = IS_HIGHBIT_SET(x) ? '1' : '0'; + x <<= 1; + } } *r = '\0'; |