| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Saul Costa <saul(at)mixrank(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: PostgreSQL 9.3 Segfault in "hstore_to_json" function |
| Date: | 2014-11-04 21:40:14 |
| Message-ID: | 18746.1415137214@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Saul Costa <saul(at)mixrank(dot)com> writes:
> Have found an occurrence of a segfault within "vanilla" PostgreSQL 9.3.
> Fresh install, only change is having the hstore extension enabled.
> Issue occurs when using the `hstore_to_json` function. Data was inserted
> using SQLAlchemy but can be reproduced when using a COPY statement (see
> "reproduce.sh"). Was not able to reproduce when running an INSERT statement
> from the psql client (as it escaped the data differently and then did not
> throw the segfault). If I copy / paste the data into a Python console and
> print it it shows up correctly so I'm pretty sure this is not an encoding
> issue.
It looks like the problem is that 9.3's version of hstore_to_json() embeds
an assumption that escape_json() can't increase the length of a string
more than 2x. This is false for ASCII control characters, which get
converted to "\uNNNN", so your test data leads to a buffer overrun that
might or might not chance to stomp on anything critical.
I see that's been fixed in 9.4 and HEAD, but it should've been
back-patched to 9.3.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2014-11-04 22:18:14 | Re: [GENERAL] Re: [HACKERS] COPY TO returning empty result with parallel ALTER TABLE |
| Previous Message | Tom Lane | 2014-11-04 20:36:09 | Re: BUG #11875: char() not behaving as documented |