Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: [CHECKER] 9 potential out-of-bounds array access errors
- From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
- To: "Yichen Xie" <yxie(at)cs(dot)stanford(dot)edu>
- Cc: pgsql-bugs(at)postgresql(dot)org, mc(at)cs(dot)stanford(dot)edu
- Subject: Re: [CHECKER] 9 potential out-of-bounds array access errors
- Date: Tue, 28 Jan 2003 20:37:33 -0500
- Message-id: <16573.1043804253@sss.pgh.pa.us> <text/plain>
"Yichen Xie" <yxie(at)cs(dot)stanford(dot)edu> writes:
> We are a group of Stanford researchers, and we've recently developed a
> tool that detects potential out-of-bounds array accesses and buffer
> overruns. Here are 9 potential bugs we've found on postgresql 7.3.1.
Here's a status report:
> [BUG] MAX_TIME_PRECISION defined to be 13 when HAVE_INT64_TIMESTAMP is
> not defined
> /u2/yxie/postgresql-7.3.1/src/backend/utils/adt/date.c:682:AdjustTimeFor
> Typmod: ERROR:BUFFER:682:682:Array bounds error (off >= len) [RANGE]
Real bug introduced in multiple-time-storage-format changes in 7.3.
Fixed in current and 7.3 branch.
> [BUG] "i" can go up to 13
> /u2/yxie/postgresql-7.3.1/src/backend/utils/mb/conversion_procs/euc_tw_a
> nd_big5/big5.c:364:CNStoBIG5: ERROR:BUFFER:364:364:Array bounds error
Real bug, code is new in 7.3. Fixed in current and 7.3 branch.
> [BUG] "i" can go up to 13
> /u2/yxie/postgresql-7.3.1/src/backend/utils/mb/conversion_procs/euc_tw_a
> nd_big5/big5.c:371:CNStoBIG5: ERROR:BUFFER:371:371:Array bounds error
As above.
> [BUG] is plpgsql_nDatums 0 here? also, sizeof (plpgsql_nDatums) =
> 2*sizeof(PLpgSQL_datum *)
> /u2/yxie/postgresql-7.3.1/src/pl/plpgsql/src/pl_comp.c:527:plpgsql_compi
> le: ERROR:BUFFER:527:527:Dereferencing uninitialized pointer
Doesn't seem to be a bug, unless I'm missing something. Checker
apparently fooled by globalness of variable?
> [BUG] does fe_setauthsvc abort the function? if not there's a
> possibility of an overrun
> /u2/yxie/postgresql-7.3.1/src/interfaces/libpq/fe-auth.c:688:fe_getauths
> vc: ERROR:BUFFER:688:688:Array bounds error (off >= len)
Potential bug; could only trigger if compile-time-constant
DEFAULT_CLIENT_AUTHSVC has incorrect value. I wouldn't expect the
checker to realize that, though (it'd take cross-procedural analysis).
Fixed in CVS head in case of future mistakes, but not back-patched.
> [BUG] "i" can go up to 13
> /u2/yxie/postgresql-7.3.1/src/backend/utils/mb/conversion_procs/euc_tw_a
> nd_big5/big5.c:325:BIG5toCNS: ERROR:BUFFER:325:325:Array bounds error
See above.
> [BUG] MAX_TIME_PRECISION is 13
> /u2/yxie/postgresql-7.3.1/src/backend/utils/adt/date.c:691:AdjustTimeFor
> Typmod: ERROR:BUFFER:691:691:Array bounds error (off >= len) [RANGE]
See above.
> [BUG]
> /u2/yxie/postgresql-7.3.1/src/backend/utils/mb/conversion_procs/euc_tw_a
> nd_big5/big5.c:304:BIG5toCNS: ERROR:BUFFER:304:304:Array bounds error
See above.
> [BUG] ndim can be 0...
> /u2/yxie/postgresql-7.3.1/src/backend/utils/adt/arrayfuncs.c:352:ArrayCo
> unt: ERROR:BUFFER:352:352:Array bounds error (off < 0) (temp[ndim - 1],
This cannot happen in current sources because ArrayCount is only invoked
on strings beginning with '{'. Still, it seems like an accident waiting
to happen. I've modified CVS tip so that ndim is initialized to 1, not
0, to forestall any future problem.
Thanks for the report!
regards, tom lane
- References:
- [CHECKER] 9 potential out-of-bounds array access errors
- From: Yichen Xie
- [CHECKER] 9 potential out-of-bounds array access errors
- Prev by Date: Re: [CHECKER] 9 potential out-of-bounds array access errors
- Next by Date: Re: [CHECKER] 9 potential out-of-bounds array access errors
- Previous by thread: Re: [CHECKER] 9 potential out-of-bounds array access errors
- Next by thread: ECPG does not recognise typedefs
- Indexes: