1. 30 Jan, 2015 11 commits
    • Stephen Frost's avatar
      Policy documentation improvements · 3144e1b3
      Stephen Frost authored
      In ALTER POLICY, use 'check_expression' instead of 'expression' for the
      parameter, to match up with the recent CREATE POLICY change.
      
      In CREATE POLICY, frame the discussion as granting access to rows
      instead of limiting access to rows.  Further, clarify that the
      expression must return true for rows to be visible/allowed and that a
      false or NULL result will mean the row is not visible/allowed.
      
      Per discussion with Dean Rasheed and Robert.
      3144e1b3
    • Tom Lane's avatar
      Fix jsonb Unicode escape processing, and in consequence disallow \u0000. · 451d2808
      Tom Lane authored
      We've been trying to support \u0000 in JSON values since commit
      78ed8e03, and have introduced increasingly worse hacks to try to
      make it work, such as commit 0ad1a816.  However, it fundamentally
      can't work in the way envisioned, because the stored representation looks
      the same as for \\u0000 which is not the same thing at all.  It's also
      entirely bogus to output \u0000 when de-escaped output is called for.
      
      The right way to do this would be to store an actual 0x00 byte, and then
      throw error only if asked to produce de-escaped textual output.  However,
      getting to that point seems likely to take considerable work and may well
      never be practical in the 9.4.x series.
      
      To preserve our options for better behavior while getting rid of the nasty
      side-effects of 0ad1a816, revert that commit in toto and instead
      throw error if \u0000 is used in a context where it needs to be de-escaped.
      (These are the same contexts where non-ASCII Unicode escapes throw error
      if the database encoding isn't UTF8, so this behavior is by no means
      without precedent.)
      
      In passing, make both the \u0000 case and the non-ASCII Unicode case report
      ERRCODE_UNTRANSLATABLE_CHARACTER / "unsupported Unicode escape sequence"
      rather than claiming there's something wrong with the input syntax.
      
      Back-patch to 9.4, where we have to do something because 0ad1a816
      broke things for many cases having nothing to do with \u0000.  9.3 also has
      bogus behavior, but only for that specific escape value, so given the lack
      of field complaints it seems better to leave 9.3 alone.
      451d2808
    • Peter Eisentraut's avatar
      doc: Remove superfluous table column · e40d43f8
      Peter Eisentraut authored
      e40d43f8
    • Tom Lane's avatar
      Fix Coverity warning about contrib/pgcrypto's mdc_finish(). · a59ee881
      Tom Lane authored
      Coverity points out that mdc_finish returns a pointer to a local buffer
      (which of course is gone as soon as the function returns), leaving open
      a risk of misbehaviors possibly as bad as a stack overwrite.
      
      In reality, the only possible call site is in process_data_packets()
      which does not examine the returned pointer at all.  So there's no
      live bug, but nonetheless the code is confusing and risky.  Refactor
      to avoid the issue by letting process_data_packets() call mdc_finish()
      directly instead of going through the pullf_read() API.
      
      Although this is only cosmetic, it seems good to back-patch so that
      the logic in pgp-decrypt.c stays in sync across all branches.
      
      Marko Kreen
      a59ee881
    • Robert Haas's avatar
      Provide a way to supress the "out of memory" error when allocating. · bd4e2fd9
      Robert Haas authored
      Using the new interface MemoryContextAllocExtended, callers can
      specify MCXT_ALLOC_NO_OOM if they are prepared to handle a NULL
      return value.
      
      Michael Paquier, reviewed and somewhat revised by me.
      bd4e2fd9
    • Tom Lane's avatar
      Fix assorted oversights in range selectivity estimation. · 3d660d33
      Tom Lane authored
      calc_rangesel() failed outright when comparing range variables to empty
      constant ranges with < or >=, as a result of missing cases in a switch.
      It also produced a bogus estimate for > comparison to an empty range.
      
      On top of that, the >= and > cases were mislabeled throughout.  For
      nonempty constant ranges, they managed to produce the right answers
      anyway as a result of counterbalancing typos.
      
      Also, default_range_selectivity() omitted cases for elem <@ range,
      range &< range, and range &> range, so that rather dubious defaults
      were applied for these operators.
      
      In passing, rearrange the code in rangesel() so that the elem <@ range
      case is handled in a less opaque fashion.
      
      Report and patch by Emre Hasegeli, some additional work by me
      3d660d33
    • Heikki Linnakangas's avatar
      Fix query-duration memory leak with GIN rescans. · 68fa75f3
      Heikki Linnakangas authored
      The requiredEntries / additionalEntries arrays were not freed in
      freeScanKeys() like other per-key stuff.
      
      It's not obvious, but startScanKey() was only ever called after the keys
      have been initialized with ginNewScanKey(). That's why it doesn't need to
      worry about freeing existing arrays. The ginIsNewKey() test in gingetbitmap
      was never true, because ginrescan free's the existing keys, and it's not OK
      to call gingetbitmap twice in a row without calling ginrescan in between.
      To make that clear, remove the unnecessary ginIsNewKey(). And just to be
      extra sure that nothing funny happens if there is an existing key after all,
      call freeScanKeys() to free it if it exists. This makes the code more
      straightforward.
      
      (I'm seeing other similar leaks in testing a query that rescans an GIN index
      scan, but that's a different issue. This just fixes the obvious leak with
      those two arrays.)
      
      Backpatch to 9.4, where GIN fast scan was added.
      68fa75f3
    • Kevin Grittner's avatar
      Allow pg_dump to use jobs and serializable transactions together. · cff1bd2a
      Kevin Grittner authored
      Since 9.3, when the --jobs option was introduced, using it together
      with the --serializable-deferrable option generated multiple
      errors.  We can get correct behavior by allowing the connection
      which acquires the snapshot to use SERIALIZABLE, READ ONLY,
      DEFERRABLE and pass that to the workers running the other
      connections using REPEATABLE READ, READ ONLY.  This is a bit of a
      kluge since the SERIALIZABLE behavior is achieved by running some
      of the participating connections at a different isolation level,
      but it is a simple and safe change, suitable for back-patching.
      
      This will be followed by a proposal for a more invasive fix with
      some slight behavioral changes on just the master branch, based on
      suggestions from Andres Freund, but the kluge will be applied to
      master until something is agreed along those lines.
      
      Back-patched to 9.3, where the --jobs option was added.
      
      Based on report from Alexander Korotkov
      cff1bd2a
    • Stephen Frost's avatar
      Fix BuildIndexValueDescription for expressions · 32bf6ee6
      Stephen Frost authored
      In 804b6b6d we modified
      BuildIndexValueDescription to pay attention to which columns are visible
      to the user, but unfortunatley that commit neglected to consider indexes
      which are built on expressions.
      
      Handle error-reporting of violations of constraint indexes based on
      expressions by not returning any detail when the user does not have
      table-level SELECT rights.
      
      Backpatch to 9.0, as the prior commit was.
      
      Pointed out by Tom.
      32bf6ee6
    • Bruce Momjian's avatar
      doc: clarify libpq's 'verify-full' host name check · e7704305
      Bruce Momjian authored
      Report by David Guyot
      e7704305
    • Tom Lane's avatar
      Handle unexpected query results, especially NULLs, safely in connectby(). · 37507962
      Tom Lane authored
      connectby() didn't adequately check that the constructed SQL query returns
      what it's expected to; in fact, since commit 08c33c42 it wasn't
      checking that at all.  This could result in a null-pointer-dereference
      crash if the constructed query returns only one column instead of the
      expected two.  Less excitingly, it could also result in surprising data
      conversion failures if the constructed query returned values that were
      not I/O-conversion-compatible with the types specified by the query
      calling connectby().
      
      In all branches, insist that the query return at least two columns;
      this seems like a minimal sanity check that can't break any reasonable
      use-cases.
      
      In HEAD, insist that the constructed query return the types specified by
      the outer query, including checking for typmod incompatibility, which the
      code never did even before it got broken.  This is to hide the fact that
      the implementation does a conversion to text and back; someday we might
      want to improve that.
      
      In back branches, leave that alone, since adding a type check in a minor
      release is more likely to break things than make people happy.  Type
      inconsistencies will continue to work so long as the actual type and
      declared type are I/O representation compatible, and otherwise will fail
      the same way they used to.
      
      Also, in all branches, be on guard for NULL results from the constructed
      query, which formerly would cause null-pointer dereference crashes.
      We now print the row with the NULL but don't recurse down from it.
      
      In passing, get rid of the rather pointless idea that
      build_tuplestore_recursively() should return the same tuplestore that's
      passed to it.
      
      Michael Paquier, adjusted somewhat by me
      37507962
  2. 29 Jan, 2015 9 commits
    • Andres Freund's avatar
      Properly terminate the array returned by GetLockConflicts(). · 17792bfc
      Andres Freund authored
      GetLockConflicts() has for a long time not properly terminated the
      returned array. During normal processing the returned array is zero
      initialized which, while not pretty, is sufficient to be recognized as
      a invalid virtual transaction id. But the HotStandby case is more than
      aesthetically broken: The allocated (and reused) array is neither
      zeroed upon allocation, nor reinitialized, nor terminated.
      
      Not having a terminating element means that the end of the array will
      not be recognized and that recovery conflict handling will thus read
      ahead into adjacent memory. Only terminating when hitting memory
      content that looks like a invalid virtual transaction id.  Luckily
      this seems so far not have caused significant problems, besides making
      recovery conflict more expensive.
      
      Discussion: 20150127142713.GD29457@awork2.anarazel.de
      
      Backpatch into all supported branches.
      17792bfc
    • Andres Freund's avatar
      Align buffer descriptors to cache line boundaries. · ed127002
      Andres Freund authored
      Benchmarks has shown that aligning the buffer descriptor array to
      cache lines is important for scalability; especially on bigger,
      multi-socket, machines.
      
      Currently the array sometimes already happens to be aligned by
      happenstance, depending how large previous shared memory allocations
      were. That can lead to wildly varying performance results after minor
      configuration changes.
      
      In addition to aligning the start of descriptor array, also force the
      size of individual descriptors to be of a common cache line size (64
      bytes). That happens to already be the case on 64bit platforms, but
      this way we can change the struct BufferDesc more easily.
      
      As the alignment primarily matters in highly concurrent workloads
      which probably all are 64bit these days, and the space wastage of
      element alignment would be a bit more noticeable on 32bit systems, we
      don't force the stride to be cacheline sized on 32bit platforms for
      now. If somebody does actual performance testing, we can reevaluate
      that decision by changing the definition of BUFFERDESC_PADDED_SIZE.
      
      Discussion: 20140202151319.GD32123@awork2.anarazel.de
      
      Per discussion with Bruce Momjan, Tom Lane, Robert Haas, and Peter
      Geoghegan.
      ed127002
    • Andres Freund's avatar
      Fix #ifdefed'ed out code to compile again. · 7142bfbb
      Andres Freund authored
      7142bfbb
    • Heikki Linnakangas's avatar
      Fix bug where GIN scan keys were not initialized with gin_fuzzy_search_limit. · 31ed42b9
      Heikki Linnakangas authored
      When gin_fuzzy_search_limit was used, we could jump out of startScan()
      without calling startScanKey(). That was harmless in 9.3 and below, because
      startScanKey()() didn't do anything interesting, but in 9.4 it initializes
      information needed for skipping entries (aka GIN fast scans), and you
      readily get a segfault if it's not done. Nevertheless, it was clearly wrong
      all along, so backpatch all the way to 9.1 where the early return was
      introduced.
      
      (AFAICS startScanKey() did nothing useful in 9.3 and below, because the
      fields it initialized were already initialized in ginFillScanKey(), but I
      don't dare to change that in a minor release. ginFillScanKey() is always
      called in gingetbitmap() even though there's a check there to see if the
      scan keys have already been initialized, because they never are; ginrescan()
      free's them.)
      
      In the passing, remove unnecessary if-check from the second inner loop in
      startScan(). We already check in the first loop that the condition is true
      for all entries.
      
      Reported by Olaf Gawenda, bug #12694, Backpatch to 9.1 and above, although
      AFAICS it causes a live bug only in 9.4.
      31ed42b9
    • Robert Haas's avatar
      Move out-of-memory error checks from aset.c to mcxt.c · 3d6d1b58
      Robert Haas authored
      This potentially allows us to add mcxt.c interfaces that do something
      other than throw an error when memory cannot be allocated.  We'll
      handle adding those interfaces in a separate commit.
      
      Michael Paquier, with minor changes by me
      3d6d1b58
    • Stephen Frost's avatar
      Reword CREATE POLICY parameter descriptions · 1c993b3a
      Stephen Frost authored
      The parameter description for the using_expression and check_expression
      in CREATE POLICY were unclear and arguably included a typo.  Clarify
      and improve the consistency of that language.
      
      Pointed out by Dean Rasheed.
      1c993b3a
    • Stephen Frost's avatar
      CREATE POLICY expression -> using_expression · bb541812
      Stephen Frost authored
      The syntax for CREATE POLICY simply used "expression" for the USING
      expression, while the WITH CHECK expression was "check_expression".
      Given that we have two expressions, it's sensible to explcitly name both
      to maintain clarity.
      
      This patch simply changes the generic "expression" to be
      "using_expression".
      
      Pointed out by Peter Geoghegan.
      bb541812
    • Stephen Frost's avatar
      Improve CREATE POLICY documentation · 42f66b27
      Stephen Frost authored
      The CREATE POLICY documention didn't sufficiently clarify what happens
      when a given command type (eg: ALL or UPDATE) accepts both USING and
      WITH CHECK clauses, but only the USING clause is defined.  Add language
      to clarify that, in such a case, the USING clause will be used for both
      USING and WITH CHECK cases.
      
      Pointed out by Peter Geoghegan.
      42f66b27
    • Stephen Frost's avatar
      Add usebypassrls to pg_user and pg_shadow · c7cf9a24
      Stephen Frost authored
      The row level security patches didn't add the 'usebypassrls' columns to
      the pg_user and pg_shadow views on the belief that they were deprecated,
      but we havn't actually said they are and therefore we should include it.
      
      This patch corrects that, adds missing documentation for rolbypassrls
      into the system catalog page for pg_authid, along with the entries for
      pg_user and pg_shadow, and cleans up a few other uses of 'row-level'
      cases to be 'row level' in the docs.
      
      Pointed out by Amit Kapila.
      
      Catalog version bump due to system view changes.
      c7cf9a24
  3. 28 Jan, 2015 4 commits
    • Stephen Frost's avatar
      Clean up range-table building in copy.c · f8519a6a
      Stephen Frost authored
      Commit 804b6b6d added the build of a
      range table in copy.c to initialize the EState es_range_table since it
      can be needed in error paths.  Unfortunately, that commit didn't
      appreciate that some code paths might end up not initializing the rte
      which is used to build the range table.
      
      Fix that and clean up a couple others things along the way- build it
      only once and don't explicitly set it on the !is_from path as it
      doesn't make any sense there (cstate is palloc0'd, so this isn't an
      issue from an initializing standpoint either).
      
      The prior commit went back to 9.0, but this only goes back to 9.1 as
      prior to that the range table build happens immediately after building
      the RTE and therefore doesn't suffer from this issue.
      
      Pointed out by Robert.
      f8519a6a
    • Stephen Frost's avatar
      Fix column-privilege leak in error-message paths · 804b6b6d
      Stephen Frost authored
      While building error messages to return to the user,
      BuildIndexValueDescription, ExecBuildSlotValueDescription and
      ri_ReportViolation would happily include the entire key or entire row in
      the result returned to the user, even if the user didn't have access to
      view all of the columns being included.
      
      Instead, include only those columns which the user is providing or which
      the user has select rights on.  If the user does not have any rights
      to view the table or any of the columns involved then no detail is
      provided and a NULL value is returned from BuildIndexValueDescription
      and ExecBuildSlotValueDescription.  Note that, for key cases, the user
      must have access to all of the columns for the key to be shown; a
      partial key will not be returned.
      
      Further, in master only, do not return any data for cases where row
      security is enabled on the relation and row security should be applied
      for the user.  This required a bit of refactoring and moving of things
      around related to RLS- note the addition of utils/misc/rls.c.
      
      Back-patch all the way, as column-level privileges are now in all
      supported versions.
      
      This has been assigned CVE-2014-8161, but since the issue and the patch
      have already been publicized on pgsql-hackers, there's no point in trying
      to hide this commit.
      804b6b6d
    • Heikki Linnakangas's avatar
      Fix typo in comment. · acc2b1e8
      Heikki Linnakangas authored
      acc2b1e8
    • Heikki Linnakangas's avatar
      Remove dead NULL-pointer checks in GiST code. · 670bf71f
      Heikki Linnakangas authored
      gist_poly_compress() and gist_circle_compress() checked for a NULL-pointer
      key argument, but that was dead code; the gist code never passes a
      NULL-pointer to the "compress" method.
      
      This commit also removes a documentation note added in commit a0a3883d,
      about doing NULL-pointer checks in the "compress" method. It was added
      based on the fact that some implementations were doing NULL-pointer
      checks, but those checks were unnecessary in the first place.
      
      The NULL-pointer check in gbt_var_same() function was also unnecessary.
      The arguments to the "same" method come from the "compress", "union", or
      "picksplit" methods, but none of them return a NULL pointer.
      
      None of this is to be confused with SQL NULL values. Those are dealt with
      by the gist machinery, and are never passed to the GiST opclass methods.
      
      Michael Paquier
      670bf71f
  4. 27 Jan, 2015 1 commit
    • Tom Lane's avatar
      Fix NUMERIC field access macros to treat NaNs consistently. · 1a2b2034
      Tom Lane authored
      Commit 14534353 arranged to store numeric
      NaN values as short-header numerics, but the field access macros did not
      get the memo: they thought only "SHORT" numerics have short headers.
      
      Most of the time this makes no difference because we don't access the
      weight or dscale of a NaN; but numeric_send does that.  As pointed out
      by Andrew Gierth, this led to fetching uninitialized bytes.
      
      AFAICS this could not have any worse consequences than that; in particular,
      an unaligned stored numeric would have been detoasted by PG_GETARG_NUMERIC,
      so that there's no risk of a fetch off the end of memory.  Still, the code
      is wrong on its own terms, and it's not hard to foresee future changes that
      might expose us to real risks.  So back-patch to all affected branches.
      1a2b2034
  5. 26 Jan, 2015 7 commits
    • Tom Lane's avatar
      Add a note to PG_TRY's documentation about volatile safety. · 4b2a2547
      Tom Lane authored
      We had better memorialize what the actual requirements are for this.
      4b2a2547
    • Tom Lane's avatar
      Fix volatile-safety issue in dblink's materializeQueryResult(). · dabda641
      Tom Lane authored
      Some fields of the sinfo struct are modified within PG_TRY and then
      referenced within PG_CATCH, so as with recent patch to async.c, "volatile"
      is necessary for strict POSIX compliance; and that propagates to a couple
      of subroutines as well as materializeQueryResult() itself.  I think the
      risk of actual issues here is probably higher than in async.c, because
      storeQueryResult() is likely to get inlined into materializeQueryResult(),
      leaving the compiler free to conclude that its stores into sinfo fields are
      dead code.
      dabda641
    • Robert Haas's avatar
      Re-enable abbreviated keys on Windows. · 168a809d
      Robert Haas authored
      Commit 1be4eb1b disabled this, but I
      think the real problem here was fixed by commit
      b181a919 and commit
      d060e07f.  So let's try re-enabling
      it now and see what happens.
      168a809d
    • Tom Lane's avatar
      Fix volatile-safety issue in pltcl_SPI_execute_plan(). · 599d00aa
      Tom Lane authored
      The "callargs" variable is modified within PG_TRY and then referenced
      within PG_CATCH, which is exactly the coding pattern we've now found
      to be unsafe.  Marking "callargs" volatile would be problematic because
      it is passed by reference to some Tcl functions, so fix the problem
      by not modifying it within PG_TRY.  We can just postpone the free()
      till we exit the PG_TRY construct, as is already done elsewhere in this
      same file.
      
      Also, fix failure to free(callargs) when exiting on too-many-arguments
      error.  This is only a minor memory leak, but a leak nonetheless.
      
      In passing, remove some unnecessary "volatile" markings in the same
      function.  Those doubtless are there because gcc 2.95.3 whinged about
      them, but we now know that its algorithm for complaining is many bricks
      shy of a load.
      
      This is certainly a live bug with compilers that optimize similarly
      to current gcc, so back-patch to all active branches.
      599d00aa
    • Tom Lane's avatar
      Fix volatile-safety issue in asyncQueueReadAllNotifications(). · c58accd7
      Tom Lane authored
      The "pos" variable is modified within PG_TRY and then referenced
      within PG_CATCH, so for strict POSIX conformance it must be marked
      volatile.  Superficially the code looked safe because pos's address
      was taken, which was sufficient to force it into memory ... but it's
      not sufficient to ensure that the compiler applies updates exactly
      where the program text says to.  The volatility marking has to extend
      into a couple of subroutines too, but I think that's probably a good
      thing because the risk of out-of-order updates is mostly in those
      subroutines not asyncQueueReadAllNotifications() itself.  In principle
      the compiler could have re-ordered operations such that an error could
      be thrown while "pos" had an incorrect value.
      
      It's unclear how real the risk is here, but for safety back-patch
      to all active branches.
      c58accd7
    • Tom Lane's avatar
      Further cleanup of ReorderBufferCommit(). · c70f9e89
      Tom Lane authored
      On closer inspection, we can remove the "volatile" qualifier on
      "using_subtxn" so long as we initialize that before the PG_TRY block,
      which there's no particularly good reason not to do.
      Also, push the "change" variable inside the PG_TRY so as to remove
      all question of whether it needs "volatile", and remove useless
      early initializations of "snapshow_now" and "using_subtxn".
      c70f9e89
    • Tom Lane's avatar
      Clean up assorted issues in ALTER SYSTEM coding. · bf007a27
      Tom Lane authored
      Fix unsafe use of a non-volatile variable in PG_TRY/PG_CATCH in
      AlterSystemSetConfigFile().  While at it, clean up a bundle of other
      infelicities and outright bugs, including corner-case-incorrect linked list
      manipulation, a poorly designed and worse documented parse-and-validate
      function (which even included some randomly chosen hard-wired substitutes
      for the specified elevel in one code path ... wtf?), direct use of open()
      instead of fd.c's facilities, inadequate checking of write()'s return
      value, and generally poorly written commentary.
      bf007a27
  6. 24 Jan, 2015 5 commits
    • Tom Lane's avatar
      Clean up some mess in row-security patches. · fd496129
      Tom Lane authored
      Fix unsafe coding around PG_TRY in RelationBuildRowSecurity: can't change
      a variable inside PG_TRY and then use it in PG_CATCH without marking it
      "volatile".  In this case though it seems saner to avoid that by doing
      a single assignment before entering the TRY block.
      
      I started out just intending to fix that, but the more I looked at the
      row-security code the more distressed I got.  This patch also fixes
      incorrect construction of the RowSecurityPolicy cache entries (there was
      not sufficient care taken to copy pass-by-ref data into the cache memory
      context) and a whole bunch of sloppiness around the definition and use of
      pg_policy.polcmd.  You can't use nulls in that column because initdb will
      mark it NOT NULL --- and I see no particular reason why a null entry would
      be a good idea anyway, so changing initdb's behavior is not the right
      answer.  The internal value of '\0' wouldn't be suitable in a "char" column
      either, so after a bit of thought I settled on using '*' to represent ALL.
      Chasing those changes down also revealed that somebody wasn't paying
      attention to what the underlying values of ACL_UPDATE_CHR etc really were,
      and there was a great deal of lackadaiscalness in the catalogs.sgml
      documentation for pg_policy and pg_policies too.
      
      This doesn't pretend to be a complete code review for the row-security
      stuff, it just fixes the things that were in my face while dealing with
      the bugs in RelationBuildRowSecurity.
      fd496129
    • Tom Lane's avatar
      Fix unsafe coding in ReorderBufferCommit(). · f8a4dd2e
      Tom Lane authored
      "iterstate" must be marked volatile since it's changed inside the PG_TRY
      block and then used in the PG_CATCH stanza.  Noted by Mark Wilding of
      Salesforce.  (We really need to see if we can't get the C compiler to warn
      about this.)
      
      Also, reset iterstate to NULL after the mainline ReorderBufferIterTXNFinish
      call, to ensure the PG_CATCH block doesn't try to do that a second time.
      f8a4dd2e
    • Tom Lane's avatar
      Replace a bunch more uses of strncpy() with safer coding. · 586dd5d6
      Tom Lane authored
      strncpy() has a well-deserved reputation for being unsafe, so make an
      effort to get rid of nearly all occurrences in HEAD.
      
      A large fraction of the remaining uses were passing length less than or
      equal to the known strlen() of the source, in which case no null-padding
      can occur and the behavior is equivalent to memcpy(), though doubtless
      slower and certainly harder to reason about.  So just use memcpy() in
      these cases.
      
      In other cases, use either StrNCpy() or strlcpy() as appropriate (depending
      on whether padding to the full length of the destination buffer seems
      useful).
      
      I left a few strncpy() calls alone in the src/timezone/ code, to keep it
      in sync with upstream (the IANA tzcode distribution).  There are also a
      few such calls in ecpg that could possibly do with more analysis.
      
      AFAICT, none of these changes are more than cosmetic, except for the four
      occurrences in fe-secure-openssl.c, which are in fact buggy: an overlength
      source leads to a non-null-terminated destination buffer and ensuing
      misbehavior.  These don't seem like security issues, first because no stack
      clobber is possible and second because if your values of sslcert etc are
      coming from untrusted sources then you've got problems way worse than this.
      Still, it's undesirable to have unpredictable behavior for overlength
      inputs, so back-patch those four changes to all active branches.
      586dd5d6
    • Tom Lane's avatar
      Remove no-longer-referenced src/port/gethostname.c. · 9222cd84
      Tom Lane authored
      This file hasn't been part of any build since 2005, and even before that
      wasn't used unless you configured --with-krb4 (and had a machine without
      gethostname(2), obviously).  What's more, we haven't actually called
      gethostname anywhere since then, either (except in thread_test.c, whose
      testing of this function is probably pointless).  So we don't need it.
      9222cd84
    • Alvaro Herrera's avatar
      Fix assignment operator thinko · f2789ab8
      Alvaro Herrera authored
      Pointed out by Michael Paquier
      f2789ab8
  7. 23 Jan, 2015 3 commits
    • Robert Haas's avatar
      Fix typos, update README. · d1747571
      Robert Haas authored
      Peter Geoghegan
      d1747571
    • Alvaro Herrera's avatar
      vacuumdb: enable parallel mode · a1792320
      Alvaro Herrera authored
      This mode allows vacuumdb to open several server connections to vacuum
      or analyze several tables simultaneously.
      
      Author: Dilip Kumar.  Some reworking by Álvaro Herrera
      Reviewed by: Jeff Janes, Amit Kapila, Magnus Hagander, Andres Freund
      a1792320
    • Robert Haas's avatar
      Don't use abbreviated keys for the final merge pass. · 5cefbf5a
      Robert Haas authored
      When we write tuples out to disk and read them back in, the abbreviated
      keys become non-abbreviated, because the readtup routines don't know
      anything about abbreviation.  But without this fix, the rest of the
      code still thinks the abbreviation-aware compartor should be used,
      so chaos ensues.
      
      Report by Andrew Gierth; patch by Peter Geoghegan.
      5cefbf5a