Fix one-byte buffer overrun in contrib/test_parser.

tglsfdc · tglsfdc · commit 89b3c6cc8b56 · 2012-01-09T19:56:27.000-05:00
The original coding examined the next character before verifying that
there *is* a next character.  In the worst case with the input buffer
right up against the end of memory, this would result in a segfault.

Problem spotted by Paul Guyot; this commit extends his patch to fix an
additional case.  In addition, make the code a tad more readable by not
overloading the usage of *tlen.
diff --git a/contrib/test_parser/test_parser.c b/contrib/test_parser/test_parser.c
@@ -73,31 +73,32 @@ testprs_getlexeme(PG_FUNCTION_ARGS)
 	ParserState *pst = (ParserState *) PG_GETARG_POINTER(0);
 	char	  **t = (char **) PG_GETARG_POINTER(1);
 	int		   *tlen = (int *) PG_GETARG_POINTER(2);
+	int			startpos = pst->pos;
 	int			type;
 
-	*tlen = pst->pos;
 	*t = pst->buffer + pst->pos;
 
-	if ((pst->buffer)[pst->pos] == ' ')
+	if (pst->pos < pst->len &&
+		(pst->buffer)[pst->pos] == ' ')
 	{
 		/* blank type */
 		type = 12;
-		/* go to the next non-white-space character */
-		while ((pst->buffer)[pst->pos] == ' ' &&
-			   pst->pos < pst->len)
+		/* go to the next non-space character */
+		while (pst->pos < pst->len &&
+			   (pst->buffer)[pst->pos] == ' ')
 			(pst->pos)++;
 	}
 	else
 	{
 		/* word type */
 		type = 3;
-		/* go to the next white-space character */
-		while ((pst->buffer)[pst->pos] != ' ' &&
-			   pst->pos < pst->len)
+		/* go to the next space character */
+		while (pst->pos < pst->len &&
+			   (pst->buffer)[pst->pos] != ' ')
 			(pst->pos)++;
 	}
 
-	*tlen = pst->pos - *tlen;
+	*tlen = pst->pos - startpos;
 
 	/* we are finished if (*tlen == 0) */
 	if (*tlen == 0)
