Commit 3d8c2b49 authored by Tom Lane's avatar Tom Lane

Fix broken allocation logic in recently-rewritten jsonb_util.c.

reserveFromBuffer() failed to consider the possibility that it needs to
more-than-double the current buffer size.  Beyond that, it seems likely
that we'd someday need to worry about integer overflow of the buffer
length variable.  Rather than reinvent the logic that's already been
debugged in stringinfo.c, let's go back to using that logic.  We can
still have the same targeted API, but we'll rely on stringinfo.c to
manage reallocation.

Per report from Alexander Korotkov.
parent 0b92a77c
...@@ -32,30 +32,20 @@ ...@@ -32,30 +32,20 @@
#define JSONB_MAX_ELEMS (Min(MaxAllocSize / sizeof(JsonbValue), JB_CMASK)) #define JSONB_MAX_ELEMS (Min(MaxAllocSize / sizeof(JsonbValue), JB_CMASK))
#define JSONB_MAX_PAIRS (Min(MaxAllocSize / sizeof(JsonbPair), JB_CMASK)) #define JSONB_MAX_PAIRS (Min(MaxAllocSize / sizeof(JsonbPair), JB_CMASK))
/*
* convertState: a resizeable buffer used when constructing a Jsonb datum
*/
typedef struct
{
char *buffer;
int len;
int allocatedsz;
} convertState;
static void fillJsonbValue(JEntry *array, int index, char *base_addr, static void fillJsonbValue(JEntry *array, int index, char *base_addr,
JsonbValue *result); JsonbValue *result);
static int compareJsonbScalarValue(JsonbValue *a, JsonbValue *b); static int compareJsonbScalarValue(JsonbValue *a, JsonbValue *b);
static int lexicalCompareJsonbStringValue(const void *a, const void *b); static int lexicalCompareJsonbStringValue(const void *a, const void *b);
static Jsonb *convertToJsonb(JsonbValue *val); static Jsonb *convertToJsonb(JsonbValue *val);
static void convertJsonbValue(convertState *buffer, JEntry *header, JsonbValue *val, int level); static void convertJsonbValue(StringInfo buffer, JEntry *header, JsonbValue *val, int level);
static void convertJsonbArray(convertState *buffer, JEntry *header, JsonbValue *val, int level); static void convertJsonbArray(StringInfo buffer, JEntry *header, JsonbValue *val, int level);
static void convertJsonbObject(convertState *buffer, JEntry *header, JsonbValue *val, int level); static void convertJsonbObject(StringInfo buffer, JEntry *header, JsonbValue *val, int level);
static void convertJsonbScalar(convertState *buffer, JEntry *header, JsonbValue *scalarVal); static void convertJsonbScalar(StringInfo buffer, JEntry *header, JsonbValue *scalarVal);
static int reserveFromBuffer(convertState *buffer, int len); static int reserveFromBuffer(StringInfo buffer, int len);
static void appendToBuffer(convertState *buffer, char *data, int len); static void appendToBuffer(StringInfo buffer, const char *data, int len);
static void copyToBuffer(convertState *buffer, int offset, char *data, int len); static void copyToBuffer(StringInfo buffer, int offset, const char *data, int len);
static short padBufferToInt(convertState *buffer); static short padBufferToInt(StringInfo buffer);
static JsonbIterator *iteratorFromContainer(JsonbContainer *container, JsonbIterator *parent); static JsonbIterator *iteratorFromContainer(JsonbContainer *container, JsonbIterator *parent);
static JsonbIterator *freeAndGetParent(JsonbIterator *it); static JsonbIterator *freeAndGetParent(JsonbIterator *it);
...@@ -1175,20 +1165,16 @@ lexicalCompareJsonbStringValue(const void *a, const void *b) ...@@ -1175,20 +1165,16 @@ lexicalCompareJsonbStringValue(const void *a, const void *b)
/* /*
* Reserve 'len' bytes, at the end of the buffer, enlarging it if necessary. * Reserve 'len' bytes, at the end of the buffer, enlarging it if necessary.
* Returns the offset to the reserved area. The caller is expected to copy * Returns the offset to the reserved area. The caller is expected to fill
* the data to the reserved area later with copyToBuffer() * the reserved area later with copyToBuffer().
*/ */
static int static int
reserveFromBuffer(convertState *buffer, int len) reserveFromBuffer(StringInfo buffer, int len)
{ {
int offset; int offset;
/* Make more room if needed */ /* Make more room if needed */
if (buffer->len + len > buffer->allocatedsz) enlargeStringInfo(buffer, len);
{
buffer->allocatedsz *= 2;
buffer->buffer = repalloc(buffer->buffer, buffer->allocatedsz);
}
/* remember current offset */ /* remember current offset */
offset = buffer->len; offset = buffer->len;
...@@ -1196,6 +1182,12 @@ reserveFromBuffer(convertState *buffer, int len) ...@@ -1196,6 +1182,12 @@ reserveFromBuffer(convertState *buffer, int len)
/* reserve the space */ /* reserve the space */
buffer->len += len; buffer->len += len;
/*
* Keep a trailing null in place, even though it's not useful for us;
* it seems best to preserve the invariants of StringInfos.
*/
buffer->data[buffer->len] = '\0';
return offset; return offset;
} }
...@@ -1203,16 +1195,16 @@ reserveFromBuffer(convertState *buffer, int len) ...@@ -1203,16 +1195,16 @@ reserveFromBuffer(convertState *buffer, int len)
* Copy 'len' bytes to a previously reserved area in buffer. * Copy 'len' bytes to a previously reserved area in buffer.
*/ */
static void static void
copyToBuffer(convertState *buffer, int offset, char *data, int len) copyToBuffer(StringInfo buffer, int offset, const char *data, int len)
{ {
memcpy(buffer->buffer + offset, data, len); memcpy(buffer->data + offset, data, len);
} }
/* /*
* A shorthand for reserveFromBuffer + copyToBuffer. * A shorthand for reserveFromBuffer + copyToBuffer.
*/ */
static void static void
appendToBuffer(convertState *buffer, char *data, int len) appendToBuffer(StringInfo buffer, const char *data, int len)
{ {
int offset; int offset;
...@@ -1226,17 +1218,19 @@ appendToBuffer(convertState *buffer, char *data, int len) ...@@ -1226,17 +1218,19 @@ appendToBuffer(convertState *buffer, char *data, int len)
* Returns the number of padding bytes appended. * Returns the number of padding bytes appended.
*/ */
static short static short
padBufferToInt(convertState *buffer) padBufferToInt(StringInfo buffer)
{ {
short padlen, int padlen,
p; p,
int offset; offset;
padlen = INTALIGN(buffer->len) - buffer->len; padlen = INTALIGN(buffer->len) - buffer->len;
offset = reserveFromBuffer(buffer, padlen); offset = reserveFromBuffer(buffer, padlen);
/* padlen must be small, so this is probably faster than a memset */
for (p = 0; p < padlen; p++) for (p = 0; p < padlen; p++)
buffer->buffer[offset + p] = 0; buffer->data[offset + p] = '\0';
return padlen; return padlen;
} }
...@@ -1247,7 +1241,7 @@ padBufferToInt(convertState *buffer) ...@@ -1247,7 +1241,7 @@ padBufferToInt(convertState *buffer)
static Jsonb * static Jsonb *
convertToJsonb(JsonbValue *val) convertToJsonb(JsonbValue *val)
{ {
convertState buffer; StringInfoData buffer;
JEntry jentry; JEntry jentry;
Jsonb *res; Jsonb *res;
...@@ -1255,9 +1249,7 @@ convertToJsonb(JsonbValue *val) ...@@ -1255,9 +1249,7 @@ convertToJsonb(JsonbValue *val)
Assert(val->type != jbvBinary); Assert(val->type != jbvBinary);
/* Allocate an output buffer. It will be enlarged as needed */ /* Allocate an output buffer. It will be enlarged as needed */
buffer.buffer = palloc(128); initStringInfo(&buffer);
buffer.len = 0;
buffer.allocatedsz = 128;
/* Make room for the varlena header */ /* Make room for the varlena header */
reserveFromBuffer(&buffer, sizeof(VARHDRSZ)); reserveFromBuffer(&buffer, sizeof(VARHDRSZ));
...@@ -1270,7 +1262,7 @@ convertToJsonb(JsonbValue *val) ...@@ -1270,7 +1262,7 @@ convertToJsonb(JsonbValue *val)
* kind of value it is. * kind of value it is.
*/ */
res = (Jsonb *) buffer.buffer; res = (Jsonb *) buffer.data;
SET_VARSIZE(res, buffer.len); SET_VARSIZE(res, buffer.len);
...@@ -1289,7 +1281,7 @@ convertToJsonb(JsonbValue *val) ...@@ -1289,7 +1281,7 @@ convertToJsonb(JsonbValue *val)
* for debugging purposes. * for debugging purposes.
*/ */
static void static void
convertJsonbValue(convertState *buffer, JEntry *header, JsonbValue *val, int level) convertJsonbValue(StringInfo buffer, JEntry *header, JsonbValue *val, int level)
{ {
check_stack_depth(); check_stack_depth();
...@@ -1307,7 +1299,7 @@ convertJsonbValue(convertState *buffer, JEntry *header, JsonbValue *val, int lev ...@@ -1307,7 +1299,7 @@ convertJsonbValue(convertState *buffer, JEntry *header, JsonbValue *val, int lev
} }
static void static void
convertJsonbArray(convertState *buffer, JEntry *pheader, JsonbValue *val, int level) convertJsonbArray(StringInfo buffer, JEntry *pheader, JsonbValue *val, int level)
{ {
int offset; int offset;
int metaoffset; int metaoffset;
...@@ -1366,7 +1358,7 @@ convertJsonbArray(convertState *buffer, JEntry *pheader, JsonbValue *val, int le ...@@ -1366,7 +1358,7 @@ convertJsonbArray(convertState *buffer, JEntry *pheader, JsonbValue *val, int le
} }
static void static void
convertJsonbObject(convertState *buffer, JEntry *pheader, JsonbValue *val, int level) convertJsonbObject(StringInfo buffer, JEntry *pheader, JsonbValue *val, int level)
{ {
uint32 header; uint32 header;
int offset; int offset;
...@@ -1431,7 +1423,7 @@ convertJsonbObject(convertState *buffer, JEntry *pheader, JsonbValue *val, int l ...@@ -1431,7 +1423,7 @@ convertJsonbObject(convertState *buffer, JEntry *pheader, JsonbValue *val, int l
} }
static void static void
convertJsonbScalar(convertState *buffer, JEntry *jentry, JsonbValue *scalarVal) convertJsonbScalar(StringInfo buffer, JEntry *jentry, JsonbValue *scalarVal)
{ {
int numlen; int numlen;
short padlen; short padlen;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment