Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rrlRe-002aLb-Hj for pgsql-hackers@arkaria.postgresql.org; Tue, 02 Apr 2024 21:13:27 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rrlRd-00CDGJ-In for pgsql-hackers@arkaria.postgresql.org; Tue, 02 Apr 2024 21:13:25 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rrlRd-00CDGA-9i for pgsql-hackers@lists.postgresql.org; Tue, 02 Apr 2024 21:13:25 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rrlRa-000IDf-QS for pgsql-hackers@postgresql.org; Tue, 02 Apr 2024 21:13:24 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 432LDK7w1836135; Tue, 2 Apr 2024 17:13:20 -0400 From: Tom Lane To: Ranier Vilela cc: Pg Hackers Subject: Re: Fix out-of-bounds in the function PQescapeinternal (src/interfaces/libpq/fe-exec.c) In-reply-to: References: Comments: In-reply-to Ranier Vilela message dated "Sat, 30 Mar 2024 08:36:55 -0300" MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0" Content-ID: <1835779.1712092319.0@sss.pgh.pa.us> Date: Tue, 02 Apr 2024 17:13:20 -0400 Message-ID: <1836134.1712092400@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk ------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1835779.1712092319.1@sss.pgh.pa.us> Ranier Vilela writes: > While I working in [1], Coverity reported some errors: > src/bin/pg_basebackup/pg_createsubscriber.c > CID 1542690: (#1 of 2): Out-of-bounds access (OVERRUN) > alloc_strlen: Allocating insufficient memory for the terminating null of > the string. [Note: The source code implementation of the function has been > overridden by a builtin model.] > CID 1542690: (#2 of 2): Out-of-bounds access (OVERRUN) > alloc_strlen: Allocating insufficient memory for the terminating null of > the string. [Note: The source code implementation of the function has been > overridden by a builtin model.] Yeah, we saw that in the community run too. I'm tempted to call it an AI hallucination. The "Note" seems to mean that they're not actually analyzing our code but some made-up substitute. > The source of errors is the function PQescapeInternal. > The slow path has bugs when num_quotes or num_backslashes are greater than > zero. > For each num_quotes or num_backslahes we need to allocate two more. Nonsense. The quote or backslash is already counted in input_len, so we need to add just one more. If there were anything wrong here, I'm quite sure our testing under e.g. valgrind would have caught it years ago. However, just to be sure, I tried adding an Assert that the allocated space is filled exactly, as attached. It gets through check-world just fine. regards, tom lane ------- =_aaaaaaaaaa0 Content-Type: text/x-diff; name="assert-PQescapeInternal-isnt-broken.patch"; charset="us-ascii" Content-ID: <1835779.1712092319.2@sss.pgh.pa.us> Content-Description: assert-PQescapeInternal-isnt-broken.patch Content-Transfer-Encoding: quoted-printable diff --git a/src/interfaces/libpq/fe-exec.c b/src/interfaces/libpq/fe-exec= .c index c02a9180b2..43a4ce0458 100644 --- a/src/interfaces/libpq/fe-exec.c +++ b/src/interfaces/libpq/fe-exec.c @@ -4255,7 +4255,9 @@ PQescapeInternal(PGconn *conn, const char *str, size= _t len, bool as_ident) = /* Closing quote and terminating NUL. */ *rp++ =3D quote_char; - *rp =3D '\0'; + *rp++ =3D '\0'; + + Assert(rp =3D=3D result + result_size); = return result; } ------- =_aaaaaaaaaa0--