| From: | Ranier Vilela <ranier(dot)vf(at)gmail(dot)com> |
|---|---|
| To: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | CID 1428952 (#1 of 1): Out-of-bounds access (OVERRUN) (src/backend/commands/async.c) |
| Date: | 2020-07-18 14:34:54 |
| Message-ID: | CAEudQAq5jaRB01ZpmkXOVNSjm92cru1gvuAKG6Fu686wLo7Nbw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi Tom,
Can you take a look?
Per Coverity.
There is something wrong with the definition of QUEUE_PAGESIZE on async.c
1. #define QUEUE_PAGESIZE BLCKSZ
2. BLCKSZ is 8192
3..sizeof(AsyncQueueControl) is 8080, according to Coverity (Windows 64
bits)
4. (Line 1508) qe.length = QUEUE_PAGESIZE - offset;
5. offset is zero
6. qe.length is 8192
/* Now copy qe into the shared buffer page */
memcpy(NotifyCtl->shared->page_buffer[slotno] + offset,
&qe,
qe.length);
CID 1428952 (#1 of 1): Out-of-bounds access (OVERRUN) at line 1515, with
memcpy call.
9. overrun-buffer-arg: Overrunning struct type AsyncQueueEntry of 8080
bytes by passing it to a function which accesses it at byte offset 8191
using argument qe.length (which evaluates to 8192).
Question:
1. NotifyCtl->shared->page_buffer[slotno] is really struct type
AsyncQueueEntry?
regards,
Ranier Vilela
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Rémi Lapeyre | 2020-07-18 15:25:55 | Re: Add header support to text format and matching feature |
| Previous Message | Tom Lane | 2020-07-18 14:06:13 | Re: Wrong results from in_range() tests with infinite offset |