Fix buffer overrun in isolation test program.

Commit 061b88c7 saved argv0 to a global buffer without ensuring that it was zero terminated, allowing references to it to overrun the buffer and access other memory. This probably would not have presented any security risk, but could have resulted in very confusing failures if the path to the executable was very long. Reported by David Rowley

Fix buffer overrun in isolation test program.
Commit 061b88c7 saved argv0 to a global buffer without ensuring that it was zero terminated, allowing references to it to overrun the buffer and access other memory. This probably would not have presented any security risk, but could have resulted in very confusing failures if the path to the executable was very long. Reported by David Rowley
7cb964ac · Kevin Grittner · 71dd54ad · 7cb964ac
Commit 7cb964ac authored Nov 15, 2013 by Kevin Grittner
Show whitespace changes
Inline Side-by-side

Showing with 9 additions and 1 deletion

src/test/isolation/isolation_main.c src/test/isolation/isolation_main.c +9 -1

No files found.
--- a/src/test/isolation/isolation_main.c
+++ b/src/test/isolation/isolation_main.c
@@ -98,6 +98,8 @@ isolation_start_test(const char *testname,
 static void
 isolation_init(int argc, char **argv)
 {
+	size_t		argv0_len;
 	/*
 	 * We unfortunately cannot do the find_other_exec() lookup to find the
 	 * "isolationtester" binary here.  regression_main() calls the
@@ -107,7 +109,13 @@ isolation_init(int argc, char **argv)
 	 * does to fail since it's linked to libpq.  So we instead copy argv[0]
 	 * and do the lookup the first time through isolation_start_test().
 	 */
-	strncpy(saved_argv0, argv[0], MAXPGPATH);
+	argv0_len = strlcpy(saved_argv0, argv[0], MAXPGPATH);
+	if (argv0_len >= MAXPGPATH)
+	{
+		fprintf(stderr, _("path for isolationtester executable is longer than %i bytes\n"),
+				(int) (MAXPGPATH - 1));
+		exit(2);
+	}
 	/* set default regression database name */
 	add_stringlist_item(&dblist, "isolationtest");