Re: [CHECKER] 9 potential out-of-bounds array access errors

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Yichen Xie" <yxie(at)cs(dot)stanford(dot)edu>
Cc: pgsql-bugs(at)postgresql(dot)org, mc(at)cs(dot)stanford(dot)edu
Subject: Re: [CHECKER] 9 potential out-of-bounds array access errors
Date: 2003-01-29 01:37:33
Message-ID: 16573.1043804253@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

"Yichen Xie" <yxie(at)cs(dot)stanford(dot)edu> writes:
> We are a group of Stanford researchers, and we've recently developed a
> tool that detects potential out-of-bounds array accesses and buffer
> overruns. Here are 9 potential bugs we've found on postgresql 7.3.1.

Here's a status report:

> [BUG] MAX_TIME_PRECISION defined to be 13 when HAVE_INT64_TIMESTAMP is
> not defined
> /u2/yxie/postgresql-7.3.1/src/backend/utils/adt/date.c:682:AdjustTimeFor
> Typmod: ERROR:BUFFER:682:682:Array bounds error (off >= len) [RANGE]

Real bug introduced in multiple-time-storage-format changes in 7.3.
Fixed in current and 7.3 branch.

> [BUG] "i" can go up to 13
> /u2/yxie/postgresql-7.3.1/src/backend/utils/mb/conversion_procs/euc_tw_a
> nd_big5/big5.c:364:CNStoBIG5: ERROR:BUFFER:364:364:Array bounds error

Real bug, code is new in 7.3. Fixed in current and 7.3 branch.

> [BUG] "i" can go up to 13
> /u2/yxie/postgresql-7.3.1/src/backend/utils/mb/conversion_procs/euc_tw_a
> nd_big5/big5.c:371:CNStoBIG5: ERROR:BUFFER:371:371:Array bounds error

As above.

> [BUG] is plpgsql_nDatums 0 here? also, sizeof (plpgsql_nDatums) =
> 2*sizeof(PLpgSQL_datum *)
> /u2/yxie/postgresql-7.3.1/src/pl/plpgsql/src/pl_comp.c:527:plpgsql_compi
> le: ERROR:BUFFER:527:527:Dereferencing uninitialized pointer

Doesn't seem to be a bug, unless I'm missing something. Checker
apparently fooled by globalness of variable?

> [BUG] does fe_setauthsvc abort the function? if not there's a
> possibility of an overrun
> /u2/yxie/postgresql-7.3.1/src/interfaces/libpq/fe-auth.c:688:fe_getauths
> vc: ERROR:BUFFER:688:688:Array bounds error (off >= len)

Potential bug; could only trigger if compile-time-constant
DEFAULT_CLIENT_AUTHSVC has incorrect value. I wouldn't expect the
checker to realize that, though (it'd take cross-procedural analysis).
Fixed in CVS head in case of future mistakes, but not back-patched.

> [BUG] "i" can go up to 13
> /u2/yxie/postgresql-7.3.1/src/backend/utils/mb/conversion_procs/euc_tw_a
> nd_big5/big5.c:325:BIG5toCNS: ERROR:BUFFER:325:325:Array bounds error

See above.

> [BUG] MAX_TIME_PRECISION is 13
> /u2/yxie/postgresql-7.3.1/src/backend/utils/adt/date.c:691:AdjustTimeFor
> Typmod: ERROR:BUFFER:691:691:Array bounds error (off >= len) [RANGE]

See above.

> [BUG]
> /u2/yxie/postgresql-7.3.1/src/backend/utils/mb/conversion_procs/euc_tw_a
> nd_big5/big5.c:304:BIG5toCNS: ERROR:BUFFER:304:304:Array bounds error

See above.

> [BUG] ndim can be 0...
> /u2/yxie/postgresql-7.3.1/src/backend/utils/adt/arrayfuncs.c:352:ArrayCo
> unt: ERROR:BUFFER:352:352:Array bounds error (off < 0) (temp[ndim - 1],

This cannot happen in current sources because ArrayCount is only invoked
on strings beginning with '{'. Still, it seems like an accident waiting
to happen. I've modified CVS tip so that ndim is initialized to 1, not
0, to forestall any future problem.

Thanks for the report!

regards, tom lane

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Tom Lane 2003-01-29 04:15:23 Re: [CHECKER] 9 potential out-of-bounds array access errors
Previous Message Tatsuo Ishii 2003-01-29 01:07:30 Re: [CHECKER] 9 potential out-of-bounds array access errors