Fix xslt_process() to ensure that it inserts a NULL terminator after the

last pair of parameter name/value strings, even when there are MAXPARAMS
of them.  Aboriginal bug in contrib/xml2, noted while studying bug #4912
(though I'm not sure whether there's something else involved in that
report).

This might be thought a security issue, since it's a potential backend
crash; but considering that untrustworthy users shouldn't be allowed
to get their hands on xslt_process() anyway, it's probably not worth
getting excited about.

1 files changed, 11 insertions, 7 deletions

diff --git a/contrib/xml2/xslt_proc.c b/contrib/xml2/xslt_proc.c
index 7b044a9e8a..38c28c6d95 100644
--- a/contrib/xml2/xslt_proc.c
+++ b/contrib/xml2/xslt_proc.c
@@ -35,7 +35,8 @@ static void parse_params(const char **params, text *paramstr);
 Datum		xslt_process(PG_FUNCTION_ARGS);
 
 
-#define MAXPARAMS 20
+#define MAXPARAMS 20			/* must be even, see parse_params() */
+
 
 PG_FUNCTION_INFO_V1(xslt_process);
 
@@ -135,12 +136,11 @@ xslt_process(PG_FUNCTION_ARGS)
 }
 
 
-void
+static void
 parse_params(const char **params, text *paramstr)
 {
 	char	   *pos;
 	char	   *pstr;
-
 	int			i;
 	char	   *nvsep = "=";
 	char	   *itsep = ",";
@@ -160,11 +160,13 @@ parse_params(const char **params, text *paramstr)
 		}
 		else
 		{
-			params[i] = NULL;
+			/* No equal sign, so ignore this "parameter" */
+			/* We'll reset params[i] to NULL below the loop */
 			break;
 		}
 		/* Value */
 		i++;
+		/* since MAXPARAMS is even, we still have i < MAXPARAMS */
 		params[i] = pos;
 		pos = strstr(pos, itsep);
 		if (pos != NULL)
@@ -173,9 +175,11 @@ parse_params(const char **params, text *paramstr)
 			pos++;
 		}
 		else
+		{
+			i++;
 			break;
-
+		}
 	}
-	if (i < MAXPARAMS)
-		params[i + 1] = NULL;
+
+	params[i] = NULL;
 }