Fix potential buffer overrun in cube_out(), per report from

author Tom Lane <tgl@sss.pgh.pa.us>

Sun, 18 Aug 2002 20:15:52 +0000 (20:15 +0000)

committer Tom Lane <tgl@sss.pgh.pa.us>

Sun, 18 Aug 2002 20:15:52 +0000 (20:15 +0000)
author Tom Lane <tgl@sss.pgh.pa.us>
Sun, 18 Aug 2002 20:15:52 +0000 (20:15 +0000)
committer Tom Lane <tgl@sss.pgh.pa.us>
Sun, 18 Aug 2002 20:15:52 +0000 (20:15 +0000)
diff --git a/contrib/cube/cube.c b/contrib/cube/cube.c

index c97e86d3b408c524a2392152e78c1b8abf9813d3..b0b479016a78ae55bda3c42326d39e9ae4768700 100644 (file)
--- a/contrib/cube/cube.c
+++ b/contrib/cube/cube.c
@@ -10,6 +10,7 @@
  
  #include "access/gist.h"
  #include "access/rtree.h"
+#include "lib/stringinfo.h"
  #include "utils/elog.h"
  #include "utils/palloc.h"
  #include "utils/builtins.h"
@@ -107,47 +108,43 @@ cube_in(char *str)
   *        char *out_func(char *);
   */
  char *
-cube_out(NDBOX * cube)
+cube_out(NDBOX *cube)
  {
-       char       *result;
-       char       *p;
-       int                     equal = 1;
+       StringInfoData buf;
+       bool            equal = true;
         int                     dim = cube->dim;
         int                     i;
  
-       if (cube == NULL)
-               return (NULL);
-
-       p = result = (char *) palloc(100);
+       initStringInfo(&buf);
  
         /*
          * while printing the first (LL) corner, check if it is equal to the
-        * scond one
+        * second one
          */
-       p += sprintf(p, "(");
+       appendStringInfoChar(&buf, '(');
         for (i = 0; i < dim; i++)
         {
-               p += sprintf(p, "%g", cube->x[i]);
-               p += sprintf(p, ", ");
+               if (i > 0)
+                       appendStringInfo(&buf, ", ");
+               appendStringInfo(&buf, "%g", cube->x[i]);
                 if (cube->x[i] != cube->x[i + dim])
-                       equal = 0;
+                       equal = false;
         }
-       p -= 2;                                         /* get rid of the last ", " */
-       p += sprintf(p, ")");
+       appendStringInfoChar(&buf, ')');
  
         if (!equal)
         {
-               p += sprintf(p, ",(");
-               for (i = dim; i < dim * 2; i++)
+               appendStringInfo(&buf, ",(");
+               for (i = 0; i < dim; i++)
                 {
-                       p += sprintf(p, "%g", cube->x[i]);
-                       p += sprintf(p, ", ");
+                       if (i > 0)
+                               appendStringInfo(&buf, ", ");
+                       appendStringInfo(&buf, "%g", cube->x[i + dim]);
                 }
-               p -= 2;
-               p += sprintf(p, ")");
+               appendStringInfoChar(&buf, ')');
         }
  
-       return (result);
+       return buf.data;
  }
  
  
diff --git a/contrib/cube/cube.sql.in b/contrib/cube/cube.sql.in

index 66993e4cb69c9759bed05b0ed1f4a8aba24b685d..0637fbedfd9e4d6e826175dc397083539be9444e 100644 (file)
--- a/contrib/cube/cube.sql.in
+++ b/contrib/cube/cube.sql.in
@@ -8,12 +8,12 @@ SET search_path = public;
  CREATE FUNCTION cube_in(opaque)
  RETURNS opaque
  AS 'MODULE_PATHNAME'
-LANGUAGE 'c';
+LANGUAGE 'c' WITH (isStrict);
  
  CREATE FUNCTION cube_out(opaque)
  RETURNS opaque
  AS 'MODULE_PATHNAME'
-LANGUAGE 'c';
+LANGUAGE 'c' WITH (isStrict);
  
  CREATE TYPE cube (
  internallength = variable,
author	Tom Lane <tgl@sss.pgh.pa.us>
	Sun, 18 Aug 2002 20:15:52 +0000 (20:15 +0000)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Sun, 18 Aug 2002 20:15:52 +0000 (20:15 +0000)
contrib/cube/cube.c		patch \| blob \| blame \| history
contrib/cube/cube.sql.in		patch \| blob \| blame \| history