Fix potential access-off-the-end-of-memory in varbit_out(): it fetched the

byte after the last full byte of the bit array, regardless of whether that
byte was part of the valid data or not.  Found by buildfarm testing.
Thanks to Stefan Kaltenbrunner for nailing down the cause.

diff --git a/src/backend/utils/adt/varbit.c b/src/backend/utils/adt/varbit.c
index 715a99863fda2a1deb3a7aa4f97c69c3940ce48c..ebfba2e1dd758553c76ac8acc9d62ee483de8001 100644 (file)
--- a/src/backend/utils/adt/varbit.c
+++ b/src/backend/utils/adt/varbit.c
@@ -9,7 +9,7 @@
  * Portions Copyright (c) 1994, Regents of the University of California
  *
  * IDENTIFICATION
- *       $Header: /cvsroot/pgsql/src/backend/utils/adt/varbit.c,v 1.26 2002/09/18 21:35:23 tgl Exp $
+ *       $Header: /cvsroot/pgsql/src/backend/utils/adt/varbit.c,v 1.26.2.1 2007/08/21 02:40:40 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -390,8 +390,9 @@ varbit_out(PG_FUNCTION_ARGS)
        result = (char *) palloc(len + 1);
        sp = VARBITS(s);
        r = result;
-       for (i = 0; i < len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++)
+       for (i = 0; i <= len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++)
        {
+               /* print full bytes */
                x = *sp;
                for (k = 0; k < BITS_PER_BYTE; k++)
                {
@@ -399,11 +400,15 @@ varbit_out(PG_FUNCTION_ARGS)
                        x <<= 1;
                }
        }
-       x = *sp;
-       for (k = i; k < len; k++)
+       if (i < len)
        {
-               *r++ = (x & BITHIGH) ? '1' : '0';
-               x <<= 1;
+               /* print the last partial byte */
+               x = *sp;
+               for (k = i; k < len; k++)
+               {
+                       *r++ = (x & BITHIGH) ? '1' : '0';
+                       x <<= 1;
+               }
        }
        *r = '\0';