Changeset: 042d64f1eead for MonetDB
URL: http://dev.monetdb.org/hg/MonetDB?cmd=changeset;node=042d64f1eead
Modified Files:
monetdb5/modules/mal/xid.c
Branch: xid
Log Message:
xid.c: detect/avoid overflow in XIDdecode() / XIDdecompress()
diffs (56 lines):
diff --git a/monetdb5/modules/mal/xid.c b/monetdb5/modules/mal/xid.c
--- a/monetdb5/modules/mal/xid.c
+++ b/monetdb5/modules/mal/xid.c
@@ -245,12 +245,14 @@ XIDcompress(Client cntxt, MalBlkPtr mb,
}
static str
-XIDdecode(BUN *rtrn, XIDcolumn col, oid *o, BUN lim)
+XIDdecode(BUN *rtrn, XIDcolumn col, oid *o, BUN lim, BUN cap)
{
oid v,w;
BUN cnt=0, i,j;
for (i=1 ; i<lim ; i++) {
+ if (cnt >= cap)
+ throw(MAL, "xid.decompress", "result BAT capacity
exceeded in XIDdecode()");
v = col[i].value;
switch ( (unsigned int) col[i].tag & XIDMASK ){
case XIDSET:
@@ -283,7 +285,7 @@ XIDdecompress(Client cntxt, MalBlkPtr mb
bat *ret = (bat*) getArgReference(stk,pci,0);
bat *bid = (bat*) getArgReference(stk,pci,1);
BAT *b, *bn;
- BUN cnt, lim;
+ BUN cnt, lim, cap;
XIDcolumn col;
oid *o;
lng clk;
@@ -302,7 +304,8 @@ XIDdecompress(Client cntxt, MalBlkPtr mb
return MAL_SUCCEED;
}
- bn = BATnew(b->htype, b->ttype, BATcapacity(b));
+ cap = BATcapacity(b);
+ bn = BATnew(b->htype, b->ttype, cap);
if ( bn == NULL) {
BBPreleaseref(b->batCacheid);
throw(MAL, "xid.decompress", MAL_MALLOC_FAIL);
@@ -315,7 +318,7 @@ XIDdecompress(Client cntxt, MalBlkPtr mb
o = (oid*)Tloc(bn,BUNfirst(bn));
clk = GDKusec();
- msg = XIDdecode(&cnt,col,o,lim);
+ msg = XIDdecode(&cnt,col,o,lim,cap);
if (msg != MAL_SUCCEED) {
BBPreleaseref(b->batCacheid);
BBPreleaseref(bn->batCacheid);
@@ -343,7 +346,7 @@ XIDdecompress(Client cntxt, MalBlkPtr mb
o = (oid*)Hloc(bn,BUNfirst(bn));
clk = GDKusec();
- msg = XIDdecode(&cnt,col,o,lim);
+ msg = XIDdecode(&cnt,col,o,lim,cap);
if (msg != MAL_SUCCEED) {
BBPreleaseref(b->batCacheid);
BBPreleaseref(bn->batCacheid);
_______________________________________________
Checkin-list mailing list
Checkin-list@monetdb.org
http://mail.monetdb.org/mailman/listinfo/checkin-list
