Hi, everyone I have found a potential memory overflow in ecpg preproc module.
Here is: https://github.com/postgres/postgres/blob/REL9_5_16/src/interfaces/ecpg/preproc/pgc.l In parse_include() function ------------------------------------------------------------------- for (ip = include_paths; yyin == NULL && ip != NULL; ip = ip->next) { if (strlen(ip->path) + strlen(yytext) + 3 > MAXPGPATH) ★1 forget to count the length of char '\0'. { fprintf(stderr, _("Error: include path \"%s/%s\" is too long on line %d, skipping\n"), ip->path, yytext, yylineno); continue; } snprintf (inc_file, sizeof(inc_file), "%s/%s", ip->path, yytext); yyin = fopen(inc_file, "r"); if (!yyin) { if (strcmp(inc_file + strlen(inc_file) - 2, ".h") != 0) { strcat(inc_file, ".h"); ★2 yyin = fopen( inc_file, "r" ); } } ----------------------------------------------------------------------- For example (1)ecpg program has below statement EXEC SQL INCLUDE “abbbbbbbbcd” filename's length is 11. (2)using ecpg -I command to Specify an additional include path an additional include path's length is 1010 ex:/file1/ssssssss/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a After entering the parse_include(), the roadmap of excuting is as follows. 1. When excuting the marked★1 code, strlen(ip->path) is 1010, and strlen(yytext) is 11. So the total length (strlen(ip->path) + strlen(yytext) + 3 ) is 1024. As MAXPGPATH is 1024, the error is not be throwed. 2. When excuting the marked★2 code, the string stored in the variable inc_file is as follows. inc_file[0]:'f' inc_file[1]:'i' .... inc_file[1022]:'.' inc_file[1023]:'h' ====>there is no space for the char '\0'. Last, it is easy to fix, here is a solution patch. -- 以上 Liu Huailing -------------------------------------------------- Liu Huailing Development Department III Software Division II Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST) ADDR.: No.6 Wenzhu Road, Software Avenue, Nanjing, 210012, China TEL : +86+25-86630566-8439 COINS: 7998-8439 FAX : +86+25-83317685 MAIL : liuhuail...@cn.fujitsu.com --------------------------------------------------
pgl.pl.patch
Description: pgl.pl.patch
