From: Tom Lane Date: Thu, 21 Jul 2011 16:24:14 +0000 (-0400) Subject: Fix PQsetvalue() to avoid possible crash when adding a new tuple. X-Git-Tag: REL9_2_BETA1~1367 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a9f0dbc39df88ea7672352d3e7070d2603491bec;p=postgresql Fix PQsetvalue() to avoid possible crash when adding a new tuple. PQsetvalue unnecessarily duplicated the logic in pqAddTuple, and didn't duplicate it exactly either --- pqAddTuple does not care what is in the tuple-pointer array positions beyond the last valid entry, whereas the code in PQsetvalue assumed such positions would contain NULL. This led to possible crashes if PQsetvalue was applied to a PGresult that had previously been enlarged with pqAddTuple, for instance one built from a server query. Fix by relying on pqAddTuple instead of duplicating logic, and not assuming anything about the contents of res->tuples[res->ntups]. Back-patch to 8.4, where PQsetvalue was introduced. Andrew Chernow --- diff --git a/src/interfaces/libpq/fe-exec.c b/src/interfaces/libpq/fe-exec.c index 83c5ea363f..605d242809 100644 --- a/src/interfaces/libpq/fe-exec.c +++ b/src/interfaces/libpq/fe-exec.c @@ -424,28 +424,8 @@ PQsetvalue(PGresult *res, int tup_num, int field_num, char *value, int len) if (tup_num < 0 || tup_num > res->ntups) return FALSE; - /* need to grow the tuple table? */ - if (res->ntups >= res->tupArrSize) - { - int n = res->tupArrSize ? res->tupArrSize * 2 : 128; - PGresAttValue **tups; - - if (res->tuples) - tups = (PGresAttValue **) realloc(res->tuples, n * sizeof(PGresAttValue *)); - else - tups = (PGresAttValue **) malloc(n * sizeof(PGresAttValue *)); - - if (!tups) - return FALSE; - - memset(tups + res->tupArrSize, 0, - (n - res->tupArrSize) * sizeof(PGresAttValue *)); - res->tuples = tups; - res->tupArrSize = n; - } - /* need to allocate a new tuple? */ - if (tup_num == res->ntups && !res->tuples[tup_num]) + if (tup_num == res->ntups) { PGresAttValue *tup; int i; @@ -464,8 +444,9 @@ PQsetvalue(PGresult *res, int tup_num, int field_num, char *value, int len) tup[i].value = res->null_field; } - res->tuples[tup_num] = tup; - res->ntups++; + /* add it to the array */ + if (!pqAddTuple(res, tup)) + return FALSE; } attval = &res->tuples[tup_num][field_num];