diff options
author | Tom Lane <tgl@sss.pgh.pa.us> | 2009-07-10 00:32:29 +0000 |
---|---|---|
committer | Tom Lane <tgl@sss.pgh.pa.us> | 2009-07-10 00:32:29 +0000 |
commit | f5c2de263ec0fe865bc4d69b49fb4004306895b9 (patch) | |
tree | 123b5667c1df23c08ba95d594dccd62557bbfaca /contrib | |
parent | 455658ada3983e14ddab68f1aa16599d7686ebc2 (diff) | |
download | postgresql-f5c2de263ec0fe865bc4d69b49fb4004306895b9.tar.gz |
Fix xslt_process() to ensure that it inserts a NULL terminator after the
last pair of parameter name/value strings, even when there are MAXPARAMS
of them. Aboriginal bug in contrib/xml2, noted while studying bug #4912
(though I'm not sure whether there's something else involved in that
report).
This might be thought a security issue, since it's a potential backend
crash; but considering that untrustworthy users shouldn't be allowed
to get their hands on xslt_process() anyway, it's probably not worth
getting excited about.
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/xml2/xslt_proc.c | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/contrib/xml2/xslt_proc.c b/contrib/xml2/xslt_proc.c index 7b044a9e8a..38c28c6d95 100644 --- a/contrib/xml2/xslt_proc.c +++ b/contrib/xml2/xslt_proc.c @@ -35,7 +35,8 @@ static void parse_params(const char **params, text *paramstr); Datum xslt_process(PG_FUNCTION_ARGS); -#define MAXPARAMS 20 +#define MAXPARAMS 20 /* must be even, see parse_params() */ + PG_FUNCTION_INFO_V1(xslt_process); @@ -135,12 +136,11 @@ xslt_process(PG_FUNCTION_ARGS) } -void +static void parse_params(const char **params, text *paramstr) { char *pos; char *pstr; - int i; char *nvsep = "="; char *itsep = ","; @@ -160,11 +160,13 @@ parse_params(const char **params, text *paramstr) } else { - params[i] = NULL; + /* No equal sign, so ignore this "parameter" */ + /* We'll reset params[i] to NULL below the loop */ break; } /* Value */ i++; + /* since MAXPARAMS is even, we still have i < MAXPARAMS */ params[i] = pos; pos = strstr(pos, itsep); if (pos != NULL) @@ -173,9 +175,11 @@ parse_params(const char **params, text *paramstr) pos++; } else + { + i++; break; - + } } - if (i < MAXPARAMS) - params[i + 1] = NULL; + + params[i] = NULL; } |