| From: | Ranier Vilela <ranier(dot)vf(at)gmail(dot)com> |
|---|---|
| To: | Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Possible memory corruption (src/timezone/zic.c b/src/timezone/zic.c) |
| Date: | 2021-05-14 21:43:24 |
| Message-ID: | CAEudQApPZCp12sc6Uu+V6WjNHQD4N3b0w7img99K8Eehoy5OAA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
Per Coverity.
CID 1412632 (#1 of 1): Out-of-bounds access (OVERRUN)1.
overrun-buffer-val: Overrunning buffer pointed to by &c of 1 bytes by
passing it to a function which accesses it at byte offset 4.
For some people, Coverity opinions count zero.
Who knows for others, it helps.
It doesn't matter if WideCharToMultiByte, it will fail or not, the danger
exists.
If WideCharToMultiByte returns 4, memmove will possibly destroy 4 bytes.
The fix, use of the traditional and bogus C style, without tricks.
diff --git a/src/timezone/zic.c b/src/timezone/zic.c
index 0ea6ead2db..a5f7e7f1cd 100644
--- a/src/timezone/zic.c
+++ b/src/timezone/zic.c
@@ -1129,9 +1129,9 @@ static bool
itssymlink(char const *name)
{
#ifdef HAVE_SYMLINK
- char c;
+ char linkpath[MAXPGPATH];
- return 0 <= readlink(name, &c, 1);
+ return 0 <= readlink(name, linkpath, sizeof(linkpath));
#else
return false;
#endif
regards,
Ranier Vilela
| Attachment | Content-Type | Size |
|---|---|---|
| fix_possible_memory_corruption_zic.patch | application/octet-stream | 395 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2021-05-14 22:28:12 | Re: Race condition in recovery? |
| Previous Message | Tom Lane | 2021-05-14 21:43:19 | Re: Some other CLOBBER_CACHE_ALWAYS culprits |