Fix potential access-off-the-end-of-memory in varbit_out(): it fetched the

byte after the last full byte of the bit array, regardless of whether that byte was part of the valid data or not. Found by buildfarm testing. Thanks to Stefan Kaltenbrunner for nailing down the cause.

Fix potential access-off-the-end-of-memory in varbit_out(): it fetched the
byte after the last full byte of the bit array, regardless of whether that byte was part of the valid data or not. Found by buildfarm testing. Thanks to Stefan Kaltenbrunner for nailing down the cause.
1cee06ac · Tom Lane · 25a4a779 · 1cee06ac
Commit 1cee06ac authored Aug 21, 2007 by Tom Lane
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 6 deletions

src/backend/utils/adt/varbit.c src/backend/utils/adt/varbit.c +11 -6

No files found.
--- a/src/backend/utils/adt/varbit.c
+++ b/src/backend/utils/adt/varbit.c
@@ -9,7 +9,7 @@
 * Portions Copyright (c) 1994, Regents of the University of California
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/adt/varbit.c,v 1.54 2007/06/15 20:56:51 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/adt/varbit.c,v 1.55 2007/08/21 02:40:06 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -537,8 +537,9 @@ varbit_out(PG_FUNCTION_ARGS)
 	result = (char *) palloc(len + 1);
 	sp = VARBITS(s);
 	r = result;
-	for (i = 0; i < len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++)
+	for (i = 0; i <= len - BITS_PER_BYTE; i += BITS_PER_BYTE, sp++)
 	{
+		/* print full bytes */
 		x = *sp;
 		for (k = 0; k < BITS_PER_BYTE; k++)
 		{
@@ -546,11 +547,15 @@ varbit_out(PG_FUNCTION_ARGS)
 			x <<= 1;
 		}
 	}
-	x = *sp;
-	for (k = i; k < len; k++)
+	if (i < len)
 	{
-		*r++ = IS_HIGHBIT_SET(x) ? '1' : '0';
-		x <<= 1;
+		/* print the last partial byte */
+		x = *sp;
+		for (k = i; k < len; k++)
+		{
+			*r++ = IS_HIGHBIT_SET(x) ? '1' : '0';
+			x <<= 1;
+		}
 	}
 	*r = '\0';