From c2e2ad79890faa2429a8dab4a34a509ef79c05f9 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Tue, 21 Aug 2007 02:40:26 +0000 Subject: [PATCH] Fix potential access-off-the-end-of-memory in varbit_out(): it fetched the byte after the last full byte of the bit array, regardless of whether that byte was part of the valid data or not. Found by buildfarm testing. Thanks to Stefan Kaltenbrunner for nailing down the cause. --- src/backend/utils/adt/varbit.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/backend/utils/adt/varbit.c b/src/backend/utils/adt/varbit.c index bdbf43c899..78708dd564 100644 --- a/src/backend/utils/adt/varbit.c +++ b/src/backend/utils/adt/varbit.c @@ -9,7 +9,7 @@ * Portions Copyright (c) 1994, Regents of the University of California * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/utils/adt/varbit.c,v 1.44 2004/12/31 22:01:22 pgsql Exp $ + * $PostgreSQL: pgsql/src/backend/utils/adt/varbit.c,v 1.44.4.1 2007/08/21 02:40:26 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -430,8 +430,9 @@ varbit_out(PG_FUNCTION_ARGS) result = (char *) palloc(len + 1); sp = VARBITS(s); r = result; - for (i = 0; i < len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++) + for (i = 0; i <= len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++) { + /* print full bytes */ x = *sp; for (k = 0; k < BITS_PER_BYTE; k++) { @@ -439,11 +440,15 @@ varbit_out(PG_FUNCTION_ARGS) x <<= 1; } } - x = *sp; - for (k = i; k < len; k++) + if (i < len) { - *r++ = (x & BITHIGH) ? '1' : '0'; - x <<= 1; + /* print the last partial byte */ + x = *sp; + for (k = i; k < len; k++) + { + *r++ = (x & BITHIGH) ? '1' : '0'; + x <<= 1; + } } *r = '\0'; -- 2.50.1