From: Tom Lane Date: Fri, 10 Jul 2009 00:32:23 +0000 (+0000) Subject: Fix xslt_process() to ensure that it inserts a NULL terminator after the X-Git-Tag: REL8_1_18~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b99751a199742f1b50e0fc3f8249b53d69c8eb88;p=thirdparty%2Fpostgresql.git Fix xslt_process() to ensure that it inserts a NULL terminator after the last pair of parameter name/value strings, even when there are MAXPARAMS of them. Aboriginal bug in contrib/xml2, noted while studying bug #4912 (though I'm not sure whether there's something else involved in that report). This might be thought a security issue, since it's a potential backend crash; but considering that untrustworthy users shouldn't be allowed to get their hands on xslt_process() anyway, it's probably not worth getting excited about. --- diff --git a/contrib/xml2/xslt_proc.c b/contrib/xml2/xslt_proc.c index ff2ab8d0456..558257d592f 100644 --- a/contrib/xml2/xslt_proc.c +++ b/contrib/xml2/xslt_proc.c @@ -35,7 +35,8 @@ static void parse_params(const char **params, text *paramstr); Datum xslt_process(PG_FUNCTION_ARGS); -#define MAXPARAMS 20 +#define MAXPARAMS 20 /* must be even, see parse_params() */ + PG_FUNCTION_INFO_V1(xslt_process); @@ -135,12 +136,11 @@ xslt_process(PG_FUNCTION_ARGS) } -void +static void parse_params(const char **params, text *paramstr) { char *pos; char *pstr; - int i; char *nvsep = "="; char *itsep = ","; @@ -160,11 +160,13 @@ parse_params(const char **params, text *paramstr) } else { - params[i] = NULL; + /* No equal sign, so ignore this "parameter" */ + /* We'll reset params[i] to NULL below the loop */ break; } /* Value */ i++; + /* since MAXPARAMS is even, we still have i < MAXPARAMS */ params[i] = pos; pos = strstr(pos, itsep); if (pos != NULL) @@ -173,9 +175,11 @@ parse_params(const char **params, text *paramstr) pos++; } else + { + i++; break; - + } } - if (i < MAXPARAMS) - params[i + 1] = NULL; + + params[i] = NULL; }