diff options
author | Tomas Vondra <tomas.vondra@postgresql.org> | 2023-05-17 16:35:17 +0200 |
---|---|---|
committer | Tomas Vondra <tomas.vondra@postgresql.org> | 2023-05-17 16:35:30 +0200 |
commit | 3c18d90f8907e53c3021fca13ad046133c480e4d (patch) | |
tree | 20fd76988ae4f52c1669321e4bb81b123314915f | |
parent | d8c3106bb60e4f87be595f241e173ba3c2b7aa2c (diff) | |
download | postgresql-3c18d90f8907e53c3021fca13ad046133c480e4d.tar.gz |
Null-terminate the output buffer of LZ4Stream_gets
LZ4Stream_gets did not null-terminate its output buffer. The callers expected
the buffer to be null-terminated and passed it around to functions such as
sscanf with unintended consequences.
Author: Georgios Kokolatos <gkokolatos@pm.me>
Reported-by: Alexander Lakhin <exclusion@gmail.com>
Discussion: https://postgr.es/m/94ae9bca-5ebb-1e68-bb7b-4f32e89fefbe@gmail.com
-rw-r--r-- | src/bin/pg_dump/compress_lz4.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/bin/pg_dump/compress_lz4.c b/src/bin/pg_dump/compress_lz4.c index 423e1b7976..f97b7550d1 100644 --- a/src/bin/pg_dump/compress_lz4.c +++ b/src/bin/pg_dump/compress_lz4.c @@ -459,6 +459,10 @@ LZ4Stream_read_internal(LZ4State *state, void *ptr, int ptrsize, bool eol_flag) if (!LZ4Stream_init(state, size, false /* decompressing */ )) return -1; + /* No work needs to be done for a zero-sized output buffer */ + if (size <= 0) + return 0; + /* Verify that there is enough space in the outbuf */ if (size > state->buflen) { @@ -636,7 +640,7 @@ LZ4Stream_gets(char *ptr, int size, CompressFileHandle *CFH) LZ4State *state = (LZ4State *) CFH->private_data; int ret; - ret = LZ4Stream_read_internal(state, ptr, size, true); + ret = LZ4Stream_read_internal(state, ptr, size - 1, true); if (ret < 0 || (ret == 0 && !LZ4Stream_eof(CFH))) pg_fatal("could not read from input file: %s", LZ4Stream_get_error(CFH)); @@ -644,6 +648,12 @@ LZ4Stream_gets(char *ptr, int size, CompressFileHandle *CFH) if (ret == 0) return NULL; + /* + * Our caller expects the return string to be NULL terminated + * and we know that ret is greater than zero. + */ + ptr[ret - 1] = '\0'; + return ptr; } |