Quick Links

Re:pgsql: With GB18030, prevent SIGSEGV from reading past end of allocatio

From:	sean <zoulx1982(at)163(dot)com>
To:	"Noah Misch" <noah(at)leadboat(dot)com>
Cc:	pgsql-committers(at)lists(dot)postgresql(dot)org
Subject:	Re:pgsql: With GB18030, prevent SIGSEGV from reading past end of allocatio
Date:	2025-05-14 08:38:06
Message-ID:	3674cec2.7edf.196cdf19dbf.Coremail.zoulx1982@163.com
Views:	Whole Thread \| Raw Message \| Download mbox \| Resend email
Thread:
Lists:	pgsql-committers

Hi Noah Misch,

I read the patch you commit to pgsql, and i found there also some other routine which

will still call pg_encoding_mblen to get char length.

I have no idea why these routine don't have to replaced by call pg_encoding_mblen_or_incomplete?

And how can i do to reproduce this crash?

Thank you for your time.

Regards.

At 2025-05-09 01:33:58, "Noah Misch" <noah(at)leadboat(dot)com> wrote:

>With GB18030, prevent SIGSEGV from reading past end of allocation.
>
>With GB18030 as source encoding, applications could crash the server via
>SQL functions convert() or convert_from(). Applications themselves
>could crash after passing unterminated GB18030 input to libpq functions
>PQescapeLiteral(), PQescapeIdentifier(), PQescapeStringConn(), or
>PQescapeString(). Extension code could crash by passing unterminated
>GB18030 input to jsonapi.h functions. All those functions have been
>intended to handle untrusted, unterminated input safely.
>
>A crash required allocating the input such that the last byte of the
>allocation was the last byte of a virtual memory page. Some malloc()
>implementations take measures against that, making the SIGSEGV hard to
>reach. Back-patch to v13 (all supported versions).
>
>Author: Noah Misch <noah(at)leadboat(dot)com>
>Author: Andres Freund <andres(at)anarazel(dot)de>
>Reviewed-by: Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>
>Backpatch-through: 13
>Security: CVE-2025-4207
>
>Branch
>------
>REL_15_STABLE
>
>Details
>-------
>https://git.postgresql.org/pg/commitdiff/44ba3f55f552b56b2fbefae028fcf3ea5b53461d
>
>Modified Files
>--------------
>src/backend/utils/mb/mbutils.c | 18 ++++--
>src/common/jsonapi.c | 7 ++-
>src/common/wchar.c | 51 +++++++++++++--
>src/include/mb/pg_wchar.h | 2 +
>src/interfaces/libpq/fe-exec.c | 6 +-
>src/interfaces/libpq/fe-misc.c | 15 ++---
>src/test/modules/test_escape/test_escape.c | 99 ++++++++++++++++++++++++++++++
>src/test/regress/expected/conversion.out | 13 ++--
>src/test/regress/sql/conversion.sql | 7 ++-
>9 files changed, 188 insertions(+), 30 deletions(-)
>

In response to

pgsql: With GB18030, prevent SIGSEGV from reading past end of allocatio at 2025-05-05 11:52:35 from Noah Misch

Responses

Re: pgsql: With GB18030, prevent SIGSEGV from reading past end of allocatio at 2025-05-16 03:11:00 from Noah Misch

Browse pgsql-committers by date

	From	Date	Subject
Next Message	Richard Guo	2025-05-15 08:09:34	pgsql: Fix Assert failure in XMLTABLE parser
Previous Message	Richard Guo	2025-05-14 01:00:10	pgsql: Add explicit initialization for all PlannerGlobal fields