Fix xslt_process() to ensure that it inserts a NULL terminator after the

last pair of parameter name/value strings, even when there are MAXPARAMS of them. Aboriginal bug in contrib/xml2, noted while studying bug #4912 (though I'm not sure whether there's something else involved in that report). This might be thought a security issue, since it's a potential backend crash; but considering that untrustworthy users shouldn't be allowed to get their hands on xslt_process() anyway, it's probably not worth getting excited about.
2024-12-03 08:00:21 +08:00 · 2009-07-10 00:32:12 +00:00 · 2009-07-10 00:32:12 +00:00 · 1201008103
commit 1201008103
parent 96ee4c9726
1 changed files with 11 additions and 7 deletions
--- a/contrib/xml2/xslt_proc.c
+++ b/contrib/xml2/xslt_proc.c
@ -35,7 +35,8 @@ static void parse_params(const char **params, text *paramstr);
 Datum		xslt_process(PG_FUNCTION_ARGS);


-#define MAXPARAMS 20
+#define MAXPARAMS 20			/* must be even, see parse_params() */
+

 PG_FUNCTION_INFO_V1(xslt_process);

@ -135,12 +136,11 @@ xslt_process(PG_FUNCTION_ARGS)
 }


-void
+static void
 parse_params(const char **params, text *paramstr)
 {
 	char	   *pos;
 	char	   *pstr;
-
 	int			i;
 	char	   *nvsep = "=";
 	char	   *itsep = ",";
@ -160,11 +160,13 @@ parse_params(const char **params, text *paramstr)
 		}
 		else
 		{
-			params[i] = NULL;
+			/* No equal sign, so ignore this "parameter" */
+			/* We'll reset params[i] to NULL below the loop */
 			break;
 		}
 		/* Value */
 		i++;
+		/* since MAXPARAMS is even, we still have i < MAXPARAMS */
 		params[i] = pos;
 		pos = strstr(pos, itsep);
 		if (pos != NULL)
@ -173,9 +175,11 @@ parse_params(const char **params, text *paramstr)
 			pos++;
 		}
 		else
+		{
+			i++;
 			break;
-
+		}
 	}
-	if (i < MAXPARAMS)
-		params[i + 1] = NULL;
+
+	params[i] = NULL;
 }