summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Lane2009-07-10 00:32:00 +0000
committerTom Lane2009-07-10 00:32:00 +0000
commiteb740a6b854f8bf5ba21d5127b6d5be1bfe035e2 (patch)
tree7c753e8ec511ef06c89a4f474af1489e876efaf4
parentb7240baa08396c71dc64f3498e10e73e638cf4a8 (diff)
Fix xslt_process() to ensure that it inserts a NULL terminator after the
last pair of parameter name/value strings, even when there are MAXPARAMS of them. Aboriginal bug in contrib/xml2, noted while studying bug #4912 (though I'm not sure whether there's something else involved in that report). This might be thought a security issue, since it's a potential backend crash; but considering that untrustworthy users shouldn't be allowed to get their hands on xslt_process() anyway, it's probably not worth getting excited about.
-rw-r--r--contrib/xml2/xslt_proc.c18
1 files changed, 11 insertions, 7 deletions
diff --git a/contrib/xml2/xslt_proc.c b/contrib/xml2/xslt_proc.c
index 45b269bf5f..798e688983 100644
--- a/contrib/xml2/xslt_proc.c
+++ b/contrib/xml2/xslt_proc.c
@@ -38,7 +38,8 @@ static void parse_params(const char **params, text *paramstr);
Datum xslt_process(PG_FUNCTION_ARGS);
-#define MAXPARAMS 20
+#define MAXPARAMS 20 /* must be even, see parse_params() */
+
PG_FUNCTION_INFO_V1(xslt_process);
@@ -129,12 +130,11 @@ xslt_process(PG_FUNCTION_ARGS)
}
-void
+static void
parse_params(const char **params, text *paramstr)
{
char *pos;
char *pstr;
-
int i;
char *nvsep = "=";
char *itsep = ",";
@@ -154,11 +154,13 @@ parse_params(const char **params, text *paramstr)
}
else
{
- params[i] = NULL;
+ /* No equal sign, so ignore this "parameter" */
+ /* We'll reset params[i] to NULL below the loop */
break;
}
/* Value */
i++;
+ /* since MAXPARAMS is even, we still have i < MAXPARAMS */
params[i] = pos;
pos = strstr(pos, itsep);
if (pos != NULL)
@@ -167,9 +169,11 @@ parse_params(const char **params, text *paramstr)
pos++;
}
else
+ {
+ i++;
break;
-
+ }
}
- if (i < MAXPARAMS)
- params[i + 1] = NULL;
+
+ params[i] = NULL;
}