Work around a subtle portability problem in use of printf %s format.

Depending on which spec you read, field widths and precisions in %s may be counted either in bytes or characters. Our code was assuming bytes, which is wrong at least for glibc's implementation, and in any case libc might have a different idea of the prevailing encoding than we do. Hence, for portable results we must avoid using anything more complex than just "%s" unless the string to be printed is known to be all-ASCII. This patch fixes the cases I could find, including the psql formatting failure reported by Hernan Gonzalez. In HEAD only, I also added comments to some places where it appears safe to continue using "%.*s".

Work around a subtle portability problem in use of printf %s format.
Depending on which spec you read, field widths and precisions in %s may be counted either in bytes or characters. Our code was assuming bytes, which is wrong at least for glibc's implementation, and in any case libc might have a different idea of the prevailing encoding than we do. Hence, for portable results we must avoid using anything more complex than just "%s" unless the string to be printed is known to be all-ASCII. This patch fixes the cases I could find, including the psql formatting failure reported by Hernan Gonzalez. In HEAD only, I also added comments to some places where it appears safe to continue using "%.*s".
54cd4f04 · Tom Lane · 71a185a2 · 54cd4f04 · 54cd4f04 · 54cd4f04
Commit 54cd4f04 authored May 08, 2010 by Tom Lane
11 changed files
--- a/src/backend/lib/stringinfo.c
+++ b/src/backend/lib/stringinfo.c
@@ -9,7 +9,7 @@
 * Portions Copyright (c) 1996-2010, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- *	  $PostgreSQL: pgsql/src/backend/lib/stringinfo.c,v 1.52 2010/01/02 16:57:45 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/lib/stringinfo.c,v 1.53 2010/05/08 16:39:49 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -226,7 +226,8 @@ appendBinaryStringInfo(StringInfo str, const char *data, int datalen)
 	/*
 	 * Keep a trailing null in place, even though it's probably useless for
-	 * binary data...
+	 * binary data.  (Some callers are dealing with text but call this
+	 * because their input isn't null-terminated.)
 	 */
 	str->data[str->len] = '\0';
 }

--- a/src/backend/parser/scansup.c
+++ b/src/backend/parser/scansup.c
@@ -9,7 +9,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/parser/scansup.c,v 1.39 2010/01/02 16:57:50 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/parser/scansup.c,v 1.40 2010/05/08 16:39:49 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -176,10 +176,20 @@ truncate_identifier(char *ident, int len, bool warn)
 	{
 		len = pg_mbcliplen(ident, len, NAMEDATALEN - 1);
 		if (warn)
+		{
+			/*
+			 * Cannot use %.*s here because some machines interpret %s's
+			 * precision in characters, others in bytes.
+			 */
+			char	buf[NAMEDATALEN];
+			memcpy(buf, ident, len);
+			buf[len] = '\0';
 			ereport(NOTICE,
 					(errcode(ERRCODE_NAME_TOO_LONG),
-					 errmsg("identifier \"%s\" will be truncated to \"%.*s\"",
+					 errmsg("identifier \"%s\" will be truncated to \"%s\"",
-							ident, len, ident)));
+							ident, buf)));
+		}
 		ident[len] = '\0';
 	}
 }

--- a/src/backend/tsearch/wparser_def.c
+++ b/src/backend/tsearch/wparser_def.c
@@ -7,7 +7,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/tsearch/wparser_def.c,v 1.30 2010/04/28 02:04:16 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/tsearch/wparser_def.c,v 1.31 2010/05/08 16:39:49 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -322,6 +322,12 @@ TParserInit(char *str, int len)
 	prs->state->state = TPS_Base;
 #ifdef WPARSER_TRACE
+	/*
+	 * Use of %.*s here is not portable when the string contains multibyte
+	 * characters: some machines interpret the length in characters, others
+	 * in bytes.  Since it's only a debugging aid, we haven't bothered to
+	 * fix this.
+	 */
 	fprintf(stderr, "parsing \"%.*s\"\n", len, str);
 #endif
@@ -361,6 +367,7 @@ TParserCopyInit(const TParser *orig)
 	prs->state->state = TPS_Base;
 #ifdef WPARSER_TRACE
+	/* See note above about %.*s */
 	fprintf(stderr, "parsing copy of \"%.*s\"\n", prs->lenstr, prs->str);
 #endif

--- a/src/backend/utils/adt/datetime.c
+++ b/src/backend/utils/adt/datetime.c
@@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/adt/datetime.c,v 1.210 2010/01/02 16:57:53 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/adt/datetime.c,v 1.211 2010/05/08 16:39:51 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -3740,6 +3740,14 @@ EncodeDateTime(struct pg_tm * tm, fsec_t fsec, int *tzp, char **tzn, int style,
 			AppendTimestampSeconds(str + strlen(str), tm, fsec);
+			/*
+			 * Note: the uses of %.*s in this function would be unportable
+			 * if the timezone names ever contain non-ASCII characters,
+			 * since some platforms think the string length is measured
+			 * in characters not bytes.  However, all TZ abbreviations in
+			 * the Olson database are plain ASCII.
+			 */
 			if (tzp != NULL && tm->tm_isdst >= 0)
 			{
 				if (*tzn != NULL)
@@ -4091,6 +4099,7 @@ CheckDateTokenTable(const char *tablename, const datetkn *base, int nel)
 	{
 		if (strncmp(base[i - 1].token, base[i].token, TOKMAXLEN) >= 0)
 		{
+			/* %.*s is safe since all our tokens are ASCII */
 			elog(LOG, "ordering error in %s table: \"%.*s\" >= \"%.*s\"",
 				 tablename,
 				 TOKMAXLEN, base[i - 1].token,

--- a/src/backend/utils/error/elog.c
+++ b/src/backend/utils/error/elog.c
@@ -42,7 +42,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/error/elog.c,v 1.223 2010/02/26 02:01:12 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/error/elog.c,v 1.224 2010/05/08 16:39:51 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -1871,7 +1871,7 @@ log_line_prefix(StringInfo buf, ErrorData *edata)
 					int			displen;
 					psdisp = get_ps_display(&displen);
-					appendStringInfo(buf, "%.*s", displen, psdisp);
+					appendBinaryStringInfo(buf, psdisp, displen);
 				}
 				break;
 			case 'r':
@@ -2029,7 +2029,7 @@ write_csvlog(ErrorData *edata)
 		initStringInfo(&msgbuf);
 		psdisp = get_ps_display(&displen);
-		appendStringInfo(&msgbuf, "%.*s", displen, psdisp);
+		appendBinaryStringInfo(&msgbuf, psdisp, displen);
 		appendCSVLiteral(&buf, msgbuf.data);
 		pfree(msgbuf.data);

--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -3,7 +3,7 @@
 *
 * Copyright (c) 2000-2010, PostgreSQL Global Development Group
 *
- * $PostgreSQL: pgsql/src/bin/psql/command.c,v 1.218 2010/04/03 20:55:57 tgl Exp $
+ * $PostgreSQL: pgsql/src/bin/psql/command.c,v 1.219 2010/05/08 16:39:51 tgl Exp $
 */
 #include "postgres_fe.h"
 #include "command.h"
@@ -651,6 +651,13 @@ exec_command(const char *cmd,
 	{
 		char	   *opt = psql_scan_slash_option(scan_state,
 												 OT_WHOLE_LINE, NULL, false);
+		size_t		len;
+		/* strip any trailing spaces and semicolons */
+		len = strlen(opt);
+		while (len > 0 &&
+			   (isspace((unsigned char) opt[len - 1]) || opt[len - 1] == ';'))
+			opt[--len] = '\0';
 		helpSQL(opt, pset.popt.topt.pager);
 		free(opt);

--- a/src/bin/psql/help.c
+++ b/src/bin/psql/help.c
@@ -3,7 +3,7 @@
 *
 * Copyright (c) 2000-2010, PostgreSQL Global Development Group
 *
- * $PostgreSQL: pgsql/src/bin/psql/help.c,v 1.157 2010/03/07 17:02:34 mha Exp $
+ * $PostgreSQL: pgsql/src/bin/psql/help.c,v 1.158 2010/05/08 16:39:51 tgl Exp $
 */
 #include "postgres_fe.h"
@@ -284,6 +284,7 @@ slashUsage(unsigned short int pager)
 /*
 * helpSQL -- help with SQL commands
 *
+ * Note: we assume caller removed any trailing spaces in "topic".
 */
 void
 helpSQL(const char *topic, unsigned short int pager)
@@ -352,17 +353,16 @@ helpSQL(const char *topic, unsigned short int pager)
 					wordlen;
 		int			nl_count = 0;
-		/* User gets two chances: exact match, then the first word */
+		/*
+		 * We first try exact match, then first + second words, then first
-		/* First pass : strip trailing spaces and semicolons */
+		 * word only.
+		 */
 		len = strlen(topic);
-		while (topic[len - 1] == ' ' || topic[len - 1] == ';')
-			len--;
-		for (x = 1; x <= 3; x++)	/* Three chances to guess that word... */
+		for (x = 1; x <= 3; x++)
 		{
 			if (x > 1)			/* Nothing on first pass - try the opening
-								 * words */
+								 * word(s) */
 			{
 				wordlen = j = 1;
 				while (topic[j] != ' ' && j++ < len)
@@ -423,7 +423,7 @@ helpSQL(const char *topic, unsigned short int pager)
 		}
 		if (!help_found)
-			fprintf(output, _("No help available for \"%-.*s\".\nTry \\h with no arguments to see available help.\n"), (int) len, topic);
+			fprintf(output, _("No help available for \"%s\".\nTry \\h with no arguments to see available help.\n"), topic);
 		/* Only close if we used the pager */
 		if (output != stdout)

--- a/src/bin/psql/print.c
+++ b/src/bin/psql/print.c
@@ -3,7 +3,7 @@
 *
 * Copyright (c) 2000-2010, PostgreSQL Global Development Group
 *
- * $PostgreSQL: pgsql/src/bin/psql/print.c,v 1.124 2010/03/01 21:27:26 heikki Exp $
+ * $PostgreSQL: pgsql/src/bin/psql/print.c,v 1.125 2010/05/08 16:39:52 tgl Exp $
 */
 #include "postgres_fe.h"
@@ -252,6 +252,20 @@ format_numeric_locale(const char *my_str)
 }
+/*
+ * fputnbytes: print exactly N bytes to a file
+ *
+ * Think not to use fprintf with a %.*s format for this.  Some machines
+ * believe %s's precision is measured in characters, others in bytes.
+ */
+static void
+fputnbytes(FILE *f, const char *str, size_t n)
+{
+	while (n-- > 0)
+		fputc(*str++, f);
+}
 /*************************/
 /* Unaligned text		 */
 /*************************/
@@ -913,14 +927,16 @@ print_aligned_text(const printTableContent *cont, FILE *fout)
 					{
 						/* spaces first */
 						fprintf(fout, "%*s", width_wrap[j] - chars_to_output, "");
-						fprintf(fout, "%.*s", bytes_to_output,
+						fputnbytes(fout,
-								this_line->ptr + bytes_output[j]);
+								   this_line->ptr + bytes_output[j],
+								   bytes_to_output);
 					}
 					else	/* Left aligned cell */
 					{
 						/* spaces second */
-						fprintf(fout, "%.*s", bytes_to_output,
+						fputnbytes(fout,
-								this_line->ptr + bytes_output[j]);
+								   this_line->ptr + bytes_output[j],
+								   bytes_to_output);
 					}
 					bytes_output[j] += bytes_to_output;

--- a/src/interfaces/ecpg/ecpglib/error.c
+++ b/src/interfaces/ecpg/ecpglib/error.c
-/* $PostgreSQL: pgsql/src/interfaces/ecpg/ecpglib/error.c,v 1.25 2010/03/08 12:15:24 meskes Exp $ */
+/* $PostgreSQL: pgsql/src/interfaces/ecpg/ecpglib/error.c,v 1.26 2010/05/08 16:39:52 tgl Exp $ */
 #define POSTGRES_ECPG_INTERNAL
 #include "postgres_fe.h"
@@ -332,6 +332,7 @@ ecpg_raise_backend(int line, PGresult *result, PGconn *conn, int compat)
 	else
 		sqlca->sqlcode = ECPG_PGSQL;
+	/* %.*s is safe here as long as sqlstate is all-ASCII */
 	ecpg_log("raising sqlstate %.*s (sqlcode %d): %s\n",
 			 sizeof(sqlca->sqlstate), sqlca->sqlstate, sqlca->sqlcode, sqlca->sqlerrm.sqlerrmc);

--- a/src/interfaces/ecpg/pgtypeslib/dt_common.c
+++ b/src/interfaces/ecpg/pgtypeslib/dt_common.c
-/* $PostgreSQL: pgsql/src/interfaces/ecpg/pgtypeslib/dt_common.c,v 1.51 2009/06/11 14:49:13 momjian Exp $ */
+/* $PostgreSQL: pgsql/src/interfaces/ecpg/pgtypeslib/dt_common.c,v 1.52 2010/05/08 16:39:52 tgl Exp $ */
 #include "postgres_fe.h"
@@ -855,6 +855,14 @@ EncodeDateTime(struct tm * tm, fsec_t fsec, int *tzp, char **tzn, int style, cha
 			if (tm->tm_year <= 0)
 				sprintf(str + strlen(str), " BC");
+			/*
+			 * Note: the uses of %.*s in this function would be unportable
+			 * if the timezone names ever contain non-ASCII characters,
+			 * since some platforms think the string length is measured
+			 * in characters not bytes.  However, all TZ abbreviations in
+			 * the Olson database are plain ASCII.
+			 */
 			if (tzp != NULL && tm->tm_isdst >= 0)
 			{
 				if (*tzn != NULL)

--- a/src/interfaces/libpq/fe-misc.c
+++ b/src/interfaces/libpq/fe-misc.c
@@ -23,7 +23,7 @@
 * Portions Copyright (c) 1994, Regents of the University of California
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-misc.c,v 1.141 2010/01/02 16:58:12 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-misc.c,v 1.142 2010/05/08 16:39:53 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -67,6 +67,20 @@ static int pqSocketCheck(PGconn *conn, int forRead, int forWrite,
 static int	pqSocketPoll(int sock, int forRead, int forWrite, time_t end_time);
+/*
+ * fputnbytes: print exactly N bytes to a file
+ *
+ * Think not to use fprintf with a %.*s format for this.  Some machines
+ * believe %s's precision is measured in characters, others in bytes.
+ */
+static void
+fputnbytes(FILE *f, const char *str, size_t n)
+{
+	while (n-- > 0)
+		fputc(*str++, f);
+}
 /*
 * pqGetc: get 1 character from the connection
 *
@@ -187,8 +201,11 @@ pqGetnchar(char *s, size_t len, PGconn *conn)
 	conn->inCursor += len;
 	if (conn->Pfdebug)
-		fprintf(conn->Pfdebug, "From backend (%lu)> %.*s\n",
+	{
-				(unsigned long) len, (int) len, s);
+		fprintf(conn->Pfdebug, "From backend (%lu)> ", (unsigned long) len);
+		fputnbytes(conn->Pfdebug, s, len);
+		fprintf(conn->Pfdebug, "\n");
+	}
 	return 0;
 }
@@ -204,7 +221,11 @@ pqPutnchar(const char *s, size_t len, PGconn *conn)
 		return EOF;
 	if (conn->Pfdebug)
-		fprintf(conn->Pfdebug, "To backend> %.*s\n", (int) len, s);
+	{
+		fprintf(conn->Pfdebug, "To backend> ");
+		fputnbytes(conn->Pfdebug, s, len);
+		fprintf(conn->Pfdebug, "\n");
+	}
 	return 0;
 }