| From: | Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | numeric access out of bounds |
| Date: | 2015-01-24 14:15:27 |
| Message-ID: | 8761bwiehf.fsf@news-spur.riddles.org.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Happened to notice this:
postgres=# select numeric_send('NaN');
numeric_send
--------------------
\x00007f7ec0000000
(1 row)
7f7e obviously screams "accessing memory beyond the end of data", and
indeed this is so: init_var_from_num, when passed a NaN, accesses two
bytes after the input. This probably goes unnoticed because a NaN is 6
bytes including varlena header, so the next two bytes wouldn't cause a
segfault (and clients shouldn't care about the value since the NaN flag
is set), but it's still clearly wrong.
I can see two possible fixes: one to correct the assumptions in the
macros, the other to check for NaN before calling init_var_from_num in
numeric_send (all the other functions seem to do this check explicitly).
Which would be preferable?
--
Andrew (irc:RhodiumToad)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2015-01-24 16:59:37 | Re: numeric access out of bounds |
| Previous Message | Martijn van Oosterhout | 2015-01-24 10:41:24 | Re: hung backends stuck in spinlock heavy endless loop |