mirror of
https://git.postgresql.org/git/postgresql.git
synced 2025-01-12 18:34:36 +08:00
Fix potential access-off-the-end-of-memory in varbit_out(): it fetched the
byte after the last full byte of the bit array, regardless of whether that byte was part of the valid data or not. Found by buildfarm testing. Thanks to Stefan Kaltenbrunner for nailing down the cause.
This commit is contained in:
parent
25a4a77985
commit
1cee06ac02
@ -9,7 +9,7 @@
|
|||||||
* Portions Copyright (c) 1994, Regents of the University of California
|
* Portions Copyright (c) 1994, Regents of the University of California
|
||||||
*
|
*
|
||||||
* IDENTIFICATION
|
* IDENTIFICATION
|
||||||
* $PostgreSQL: pgsql/src/backend/utils/adt/varbit.c,v 1.54 2007/06/15 20:56:51 tgl Exp $
|
* $PostgreSQL: pgsql/src/backend/utils/adt/varbit.c,v 1.55 2007/08/21 02:40:06 tgl Exp $
|
||||||
*
|
*
|
||||||
*-------------------------------------------------------------------------
|
*-------------------------------------------------------------------------
|
||||||
*/
|
*/
|
||||||
@ -537,8 +537,9 @@ varbit_out(PG_FUNCTION_ARGS)
|
|||||||
result = (char *) palloc(len + 1);
|
result = (char *) palloc(len + 1);
|
||||||
sp = VARBITS(s);
|
sp = VARBITS(s);
|
||||||
r = result;
|
r = result;
|
||||||
for (i = 0; i < len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++)
|
for (i = 0; i <= len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++)
|
||||||
{
|
{
|
||||||
|
/* print full bytes */
|
||||||
x = *sp;
|
x = *sp;
|
||||||
for (k = 0; k < BITS_PER_BYTE; k++)
|
for (k = 0; k < BITS_PER_BYTE; k++)
|
||||||
{
|
{
|
||||||
@ -546,11 +547,15 @@ varbit_out(PG_FUNCTION_ARGS)
|
|||||||
x <<= 1;
|
x <<= 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
x = *sp;
|
if (i < len)
|
||||||
for (k = i; k < len; k++)
|
|
||||||
{
|
{
|
||||||
*r++ = IS_HIGHBIT_SET(x) ? '1' : '0';
|
/* print the last partial byte */
|
||||||
x <<= 1;
|
x = *sp;
|
||||||
|
for (k = i; k < len; k++)
|
||||||
|
{
|
||||||
|
*r++ = IS_HIGHBIT_SET(x) ? '1' : '0';
|
||||||
|
x <<= 1;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
*r = '\0';
|
*r = '\0';
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user