diff options
author | Tom Lane | 2009-07-10 00:32:00 +0000 |
---|---|---|
committer | Tom Lane | 2009-07-10 00:32:00 +0000 |
commit | eb740a6b854f8bf5ba21d5127b6d5be1bfe035e2 (patch) | |
tree | 7c753e8ec511ef06c89a4f474af1489e876efaf4 | |
parent | b7240baa08396c71dc64f3498e10e73e638cf4a8 (diff) |
Fix xslt_process() to ensure that it inserts a NULL terminator after the
last pair of parameter name/value strings, even when there are MAXPARAMS
of them. Aboriginal bug in contrib/xml2, noted while studying bug #4912
(though I'm not sure whether there's something else involved in that
report).
This might be thought a security issue, since it's a potential backend
crash; but considering that untrustworthy users shouldn't be allowed
to get their hands on xslt_process() anyway, it's probably not worth
getting excited about.
-rw-r--r-- | contrib/xml2/xslt_proc.c | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/contrib/xml2/xslt_proc.c b/contrib/xml2/xslt_proc.c index 45b269bf5f..798e688983 100644 --- a/contrib/xml2/xslt_proc.c +++ b/contrib/xml2/xslt_proc.c @@ -38,7 +38,8 @@ static void parse_params(const char **params, text *paramstr); Datum xslt_process(PG_FUNCTION_ARGS); -#define MAXPARAMS 20 +#define MAXPARAMS 20 /* must be even, see parse_params() */ + PG_FUNCTION_INFO_V1(xslt_process); @@ -129,12 +130,11 @@ xslt_process(PG_FUNCTION_ARGS) } -void +static void parse_params(const char **params, text *paramstr) { char *pos; char *pstr; - int i; char *nvsep = "="; char *itsep = ","; @@ -154,11 +154,13 @@ parse_params(const char **params, text *paramstr) } else { - params[i] = NULL; + /* No equal sign, so ignore this "parameter" */ + /* We'll reset params[i] to NULL below the loop */ break; } /* Value */ i++; + /* since MAXPARAMS is even, we still have i < MAXPARAMS */ params[i] = pos; pos = strstr(pos, itsep); if (pos != NULL) @@ -167,9 +169,11 @@ parse_params(const char **params, text *paramstr) pos++; } else + { + i++; break; - + } } - if (i < MAXPARAMS) - params[i + 1] = NULL; + + params[i] = NULL; } |