diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2014-12-16 15:35:46 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2014-12-16 15:35:46 -0500 |
| commit | 5c784d96ae445f0d46bd3abde10bb02b186f42e9 (patch) | |
| tree | a5fe3db8f6985d5a07d988c5eef723c128a24554 /src/backend/executor/nodeModifyTable.c | |
| parent | 926da211a38e40f4aec78ccf8aab734bb9b69ba4 (diff) | |
| download | postgresql-5c784d96ae445f0d46bd3abde10bb02b186f42e9.tar.gz postgresql-5c784d96ae445f0d46bd3abde10bb02b186f42e9.zip | |
Fix off-by-one loop count in MapArrayTypeName, and get rid of static array.
MapArrayTypeName would copy up to NAMEDATALEN-1 bytes of the base type
name, which of course is wrong: after prepending '_' there is only room for
NAMEDATALEN-2 bytes. Aside from being the wrong result, this case would
lead to overrunning the statically allocated work buffer. This would be a
security bug if the function were ever used outside bootstrap mode, but it
isn't, at least not in any currently supported branches.
Aside from fixing the off-by-one loop logic, this patch gets rid of the
static work buffer by having MapArrayTypeName pstrdup its result; the sole
caller was already doing that, so this just requires moving the pstrdup
call. This saves a few bytes but mainly it makes the API a lot cleaner.
Back-patch on the off chance that there is some third-party code using
MapArrayTypeName with less-secure input. Pushing pstrdup into the function
should not cause any serious problems for such hypothetical code; at worst
there might be a short term memory leak.
Per Coverity scanning.
Diffstat (limited to 'src/backend/executor/nodeModifyTable.c')
0 files changed, 0 insertions, 0 deletions