aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Lane <tgl@sss.pgh.pa.us>2007-08-21 02:40:12 +0000
committerTom Lane <tgl@sss.pgh.pa.us>2007-08-21 02:40:12 +0000
commitc40f60db3f8cc482b91be9a641ef69ff58666070 (patch)
tree032c829d92f81e596f70b75314a655c3ac285847
parent37b57f118663d33583454ea7b01fc6db42deb219 (diff)
downloadpostgresql-c40f60db3f8cc482b91be9a641ef69ff58666070.tar.gz
postgresql-c40f60db3f8cc482b91be9a641ef69ff58666070.zip
Fix potential access-off-the-end-of-memory in varbit_out(): it fetched the
byte after the last full byte of the bit array, regardless of whether that byte was part of the valid data or not. Found by buildfarm testing. Thanks to Stefan Kaltenbrunner for nailing down the cause.
-rw-r--r--src/backend/utils/adt/varbit.c17
1 files changed, 11 insertions, 6 deletions
diff --git a/src/backend/utils/adt/varbit.c b/src/backend/utils/adt/varbit.c
index e0a67d340ef..e89e2bf323d 100644
--- a/src/backend/utils/adt/varbit.c
+++ b/src/backend/utils/adt/varbit.c
@@ -9,7 +9,7 @@
* Portions Copyright (c) 1994, Regents of the University of California
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/adt/varbit.c,v 1.50 2006/07/14 14:52:24 momjian Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/adt/varbit.c,v 1.50.2.1 2007/08/21 02:40:12 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@@ -468,8 +468,9 @@ varbit_out(PG_FUNCTION_ARGS)
result = (char *) palloc(len + 1);
sp = VARBITS(s);
r = result;
- for (i = 0; i < len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++)
+ for (i = 0; i <= len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++)
{
+ /* print full bytes */
x = *sp;
for (k = 0; k < BITS_PER_BYTE; k++)
{
@@ -477,11 +478,15 @@ varbit_out(PG_FUNCTION_ARGS)
x <<= 1;
}
}
- x = *sp;
- for (k = i; k < len; k++)
+ if (i < len)
{
- *r++ = IS_HIGHBIT_SET(x) ? '1' : '0';
- x <<= 1;
+ /* print the last partial byte */
+ x = *sp;
+ for (k = i; k < len; k++)
+ {
+ *r++ = IS_HIGHBIT_SET(x) ? '1' : '0';
+ x <<= 1;
+ }
}
*r = '\0';