Em dom., 11 de jul. de 2021 às 19:19, Heikki Linnakangas <hlinn...@iki.fi> escreveu:
> On 11/07/2021 22:51, Ranier Vilela wrote: > > Hi, > > > > While analyzing a possible use of an uninitialized variable, I checked > that > > *_bt_restore_page* can lead to memory corruption, > > by not checking the maximum limit of array items which is > > MaxIndexTuplesPerPage. > > > + /* Protect against corrupted recovery file */ > > + nitems = (len / sizeof(IndexTupleData)); > > + if (nitems < 0 || nitems > MaxIndexTuplesPerPage) > > + elog(PANIC, "_bt_restore_page: cannot restore %d items to > page", nitems); > > + > > That's not right. You don't get the number of items by dividing like > that. 'len' includes the tuple data as well, not just the IndexTupleData > header. > Thanks for the quick review. Not totally wrong. If it is not possible, know the upper limits, before the loop. It is necessary to do this inside the loop. attached v1 of patch. regards, Ranier Vilela
v1-0001-_bt_restore_page-have-issues-can-lead-a-memory-co.patch
Description: Binary data
