From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Hannes Dorbath <light(at)theendofthetunnel(dot)de> |
Cc: | teodor(at)sigaev(dot)ru, pgsql-general(at)postgresql(dot)org |
Subject: | Re: Segmentation fault with 8.3 FTS ISpell |
Date: | 2008-01-16 03:46:13 |
Message-ID: | 17187.1200455173@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
I think I found at least one part of the problem. I was able to
reproduce a crash similar to yours by running the german_ispell
dictionary against long random words, and what I found out is that
it's possible to overrun the fixed-length "buf" buffer declared at
line 1542 of spell.c.
Run till exit from #0 CheckCompoundAffixes (ptr=0x7fffc0a66a90,
word=0xb31ec4 "whcfbrvhbcifxdbyrizvdcnggpgtdqzzxbeyszftboyyrzwihvdkyqqefvxil
wihxmfpllimzgkpfgxmbbwyrmcxhzfsvnzszehkppvowfdblanlbjksvmpclutggsyfwfomukzqpcrzd
eleouwjglkrfexlwuqszeetodjdfacifnlshhbnsmexpahlvxdubgopjxso"..., len=285,
CheckInPlace=0 '\0') at spell.c:1482
0x00000000005e273e in SplitToVariants (Conf=0xb38d88, snode=0x0, orig=0x0,
word=0xb31ec0 "nokgwhcfbrvhbcifxdbyrizvdcnggpgtdqzzxbeyszftboyyrzwihvdkyqqef
vxilwihxmfpllimzgkpfgxmbbwyrmcxhzfsvnzszehkppvowfdblanlbjksvmpclutggsyfwfomukzqp
crzdeleouwjglkrfexlwuqszeetodjdfacifnlshhbnsmexpahlvxdubgop"..., wordlen=289,
startpos=0, minpos=-1) at spell.c:1537
1537 while (level > startpos && (lenaff = CheckCompoundAffixe
s(&caff, word + level, wordlen - level, (node) ? true : false)) >= 0)
Value returned is $29 = 283
(gdb) s
1545 lenaff = level - startpos + lenaff;
(gdb)
1547 if (!notprobed[startpos + lenaff - 1])
(gdb)
1550 if (level + lenaff - 1 <= minpos)
(gdb)
1553 if (lenaff > 0)
(gdb)
1554 memcpy(buf, word + startpos, lenaff);
(gdb) p lenaff
$31 = 287
(gdb) p sizeof(buf)
$32 = 256
(gdb)
I still don't trust the limited-size stem[] arrays a bit, either.
I am now fairly seriously worried about what other buffer-overrun
bugs may exist in the tsearch code. I would recommend a wholesale
campaign to try to break it with long random words.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2008-01-16 04:39:38 | Re: ATTN: Clodaldo was Performance problem. Could it be related to 8.3-beta4? |
Previous Message | Sim Zacks | 2008-01-16 03:24:17 | Re: 8.2.4 serious slowdown |