After looking more closely I see that pg_restore has two different
buffer overrun conditions in this one routine. Attached is take two
of my patch.
This would be a lot simpler and cleaner if _PrintData() simply didn't
append a zero byte to the buffer contents. Philip, is it actually
necessary for it to do that?
regards, tom lane
*** pg_backup_custom.c.orig Fri Feb 9 17:32:26 2001
--- pg_backup_custom.c Sat Mar 17 12:25:17 2001
***************
*** 150,156 ****
if (ctx->zp == NULL)
die_horribly(AH, "%s: unable to allocate zlib stream archive
context",progname);
! ctx->zlibOut = (char*)malloc(zlibOutSize);
ctx->zlibIn = (char*)malloc(zlibInSize);
ctx->inSize = zlibInSize;
ctx->filePos = 0;
--- 150,163 ----
if (ctx->zp == NULL)
die_horribly(AH, "%s: unable to allocate zlib stream archive
context",progname);
! /*
! * zlibOutSize is the buffer size we tell zlib it can output to. We
! * actually allocate one extra byte because some routines want to append
! * a trailing zero byte to the zlib output. The input buffer is expansible
! * and is always of size ctx->inSize; zlibInSize is just the initial
! * default size for it.
! */
! ctx->zlibOut = (char*)malloc(zlibOutSize+1);
ctx->zlibIn = (char*)malloc(zlibInSize);
ctx->inSize = zlibInSize;
ctx->filePos = 0;
***************
*** 518,531 ****
blkLen = ReadInt(AH);
while (blkLen != 0) {
! if (blkLen > (ctx->inSize - 1)) {
free(ctx->zlibIn);
ctx->zlibIn = NULL;
! ctx->zlibIn = (char*)malloc(blkLen);
if (!ctx->zlibIn)
die_horribly(AH, "%s: failed to allocate decompression
buffer\n", progname);
! ctx->inSize = blkLen;
in = ctx->zlibIn;
}
--- 525,538 ----
blkLen = ReadInt(AH);
while (blkLen != 0) {
! if (blkLen+1 > ctx->inSize) {
free(ctx->zlibIn);
ctx->zlibIn = NULL;
! ctx->zlibIn = (char*)malloc(blkLen+1);
if (!ctx->zlibIn)
die_horribly(AH, "%s: failed to allocate decompression
buffer\n", progname);
! ctx->inSize = blkLen+1;
in = ctx->zlibIn;
}
---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster
