Avoid possibly accessing off the end of memory in SJIS2004 conversion.

The code in shift_jis_20042euc_jis_2004() would fetch two bytes even when
only one remained in the string.  Since conversion functions aren't
supposed to assume null-terminated input, this poses a small risk of
fetching past the end of memory and incurring SIGSEGV.  No such crash has
been identified in the field, but we've certainly seen the equivalent
happen in other code paths, so patch this one all the way back.

Report and patch by Noah Misch.

diff --git a/src/backend/utils/mb/conversion_procs/euc_jis_2004_and_shift_jis_2004/euc_jis_2004_and_shift_jis_2004.c b/src/backend/utils/mb/conversion_procs/euc_jis_2004_and_shift_jis_2004/euc_jis_2004_and_shift_jis_2004.c
index a6d8490bdea173b71ee5e9e1d6274d68245f8a00..f69e43f37b4eb5bda38292068ef735c165dc8464 100644 (file)
--- a/src/backend/utils/mb/conversion_procs/euc_jis_2004_and_shift_jis_2004/euc_jis_2004_and_shift_jis_2004.c
+++ b/src/backend/utils/mb/conversion_procs/euc_jis_2004_and_shift_jis_2004/euc_jis_2004_and_shift_jis_2004.c
@@ -217,8 +217,7 @@ get_ten(int b, int *ku)
 static void
 shift_jis_20042euc_jis_2004(const unsigned char *sjis, unsigned char *p, int len)
 {
-       int                     c1,
-                               c2;
+       int                     c1;
        int                     ku,
                                ten,
                                kubun;
@@ -228,7 +227,6 @@ shift_jis_20042euc_jis_2004(const unsigned char *sjis, unsigned char *p, int len
        while (len > 0)
        {
                c1 = *sjis;
-               c2 = sjis[1];
 
                if (!IS_HIGHBIT_SET(c1))
                {
@@ -244,7 +242,7 @@ shift_jis_20042euc_jis_2004(const unsigned char *sjis, unsigned char *p, int len
 
                l = pg_encoding_verifymb(PG_SHIFT_JIS_2004, (const char *) sjis, len);
 
-               if (l < 0)
+               if (l < 0 || l > len)
                        report_invalid_encoding(PG_SHIFT_JIS_2004,
                                                                        (const char *) sjis, len);
 
@@ -256,6 +254,8 @@ shift_jis_20042euc_jis_2004(const unsigned char *sjis, unsigned char *p, int len
                }
                else if (l == 2)
                {
+                       int                     c2 = sjis[1];
+
                        plane = 1;
                        ku = 1;
                        ten = 1;