From 623f77e9d1338720512430a0b8e824d7359739b8 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Tue, 6 Sep 2011 14:50:28 -0400
Subject: [PATCH] Avoid possibly accessing off the end of memory in SJIS2004
conversion.
The code in shift_jis_20042euc_jis_2004() would fetch two bytes even when
only one remained in the string. Since conversion functions aren't
supposed to assume null-terminated input, this poses a small risk of
fetching past the end of memory and incurring SIGSEGV. No such crash has
been identified in the field, but we've certainly seen the equivalent
happen in other code paths, so patch this one all the way back.
Report and patch by Noah Misch.
---
.../conversion_procs/euc2004_sjis2004/euc2004_sjis2004.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/backend/utils/mb/conversion_procs/euc2004_sjis2004/euc2004_sjis2004.c b/src/backend/utils/mb/conversion_procs/euc2004_sjis2004/euc2004_sjis2004.c
index 3499f774b34..868bdbcf69c 100644
--- a/src/backend/utils/mb/conversion_procs/euc2004_sjis2004/euc2004_sjis2004.c
+++ b/src/backend/utils/mb/conversion_procs/euc2004_sjis2004/euc2004_sjis2004.c
@@ -218,8 +218,7 @@ get_ten(int b, int *ku)
static void
shift_jis_20042euc_jis_2004(const unsigned char *sjis, unsigned char *p, int len)
{
- int c1,
- c2;
+ int c1;
int ku,
ten,
kubun;
@@ -229,7 +228,6 @@ shift_jis_20042euc_jis_2004(const unsigned char *sjis, unsigned char *p, int len
while (len > 0)
{
c1 = *sjis;
- c2 = sjis[1];
if (!IS_HIGHBIT_SET(c1))
{
@@ -245,7 +243,7 @@ shift_jis_20042euc_jis_2004(const unsigned char *sjis, unsigned char *p, int len
l = pg_encoding_verifymb(PG_SHIFT_JIS_2004, (const char *) sjis, len);
- if (l < 0)
+ if (l < 0 || l > len)
report_invalid_encoding(PG_SHIFT_JIS_2004,
(const char *) sjis, len);
@@ -257,6 +255,8 @@ shift_jis_20042euc_jis_2004(const unsigned char *sjis, unsigned char *p, int len
}
else if (l == 2)
{
+ int c2 = sjis[1];
+
plane = 1;
ku = 1;
ten = 1;
--
GitLab