Fix xslt_process() to ensure that it inserts a NULL terminator after the

tglsfdc · tglsfdc · commit e7370babd186 · 2009-07-10T00:32:00.000Z
last pair of parameter name/value strings, even when there are MAXPARAMS
of them.  Aboriginal bug in contrib/xml2, noted while studying bug #4912
(though I'm not sure whether there's something else involved in that
report).

This might be thought a security issue, since it's a potential backend
crash; but considering that untrustworthy users shouldn't be allowed
to get their hands on xslt_process() anyway, it's probably not worth
getting excited about.
diff --git a/contrib/xml2/xslt_proc.c b/contrib/xml2/xslt_proc.c
@@ -1,5 +1,5 @@
 /*
- * $PostgreSQL: pgsql/contrib/xml2/xslt_proc.c,v 1.15 2009/06/11 14:48:53 momjian Exp $
+ * $PostgreSQL: pgsql/contrib/xml2/xslt_proc.c,v 1.16 2009/07/10 00:32:00 tgl Exp $
  *
  * XSLT processing functions (requiring libxslt)
  *
@@ -38,7 +38,8 @@ static void parse_params(const char **params, text *paramstr);
 Datum		xslt_process(PG_FUNCTION_ARGS);
 
 
-#define MAXPARAMS 20
+#define MAXPARAMS 20			/* must be even, see parse_params() */
+
 
 PG_FUNCTION_INFO_V1(xslt_process);
 
@@ -129,12 +130,11 @@ xslt_process(PG_FUNCTION_ARGS)
 }
 
 
-void
+static void
 parse_params(const char **params, text *paramstr)
 {
 	char	   *pos;
 	char	   *pstr;
-
 	int			i;
 	char	   *nvsep = "=";
 	char	   *itsep = ",";
@@ -154,11 +154,13 @@ parse_params(const char **params, text *paramstr)
 		}
 		else
 		{
-			params[i] = NULL;
+			/* No equal sign, so ignore this "parameter" */
+			/* We'll reset params[i] to NULL below the loop */
 			break;
 		}
 		/* Value */
 		i++;
+		/* since MAXPARAMS is even, we still have i < MAXPARAMS */
 		params[i] = pos;
 		pos = strstr(pos, itsep);
 		if (pos != NULL)
@@ -167,9 +169,11 @@ parse_params(const char **params, text *paramstr)
 			pos++;
 		}
 		else
+		{
+			i++;
 			break;
-
+		}
 	}
-	if (i < MAXPARAMS)
-		params[i + 1] = NULL;
+
+	params[i] = NULL;
 }

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * $PostgreSQL: pgsql/contrib/xml2/xslt_proc.c,v 1.15 2009/06/11 14:48:53 momjian Exp $`
	`2`	`+ * $PostgreSQL: pgsql/contrib/xml2/xslt_proc.c,v 1.16 2009/07/10 00:32:00 tgl Exp $`
`3`	`3`	`*`
`4`	`4`	`* XSLT processing functions (requiring libxslt)`
`5`	`5`	`*`
`@@ -38,7 +38,8 @@ static void parse_params(const char *params, text paramstr);`
`38`	`38`	`Datum xslt_process(PG_FUNCTION_ARGS);`
`39`	`39`
`40`	`40`
`41`		`-#define MAXPARAMS 20`
	`41`	`+#define MAXPARAMS 20 /* must be even, see parse_params() */`
	`42`	`+`
`42`	`43`
`43`	`44`	`PG_FUNCTION_INFO_V1(xslt_process);`
`44`	`45`
`@@ -129,12 +130,11 @@ xslt_process(PG_FUNCTION_ARGS)`
`129`	`130`	`}`
`130`	`131`
`131`	`132`
`132`		`-void`
	`133`	`+static void`
`133`	`134`	`parse_params(const char *params, text paramstr)`
`134`	`135`	`{`
`135`	`136`	`char *pos;`
`136`	`137`	`char *pstr;`
`137`		`-`
`138`	`138`	`int i;`
`139`	`139`	`char *nvsep = "=";`
`140`	`140`	`char *itsep = ",";`
`@@ -154,11 +154,13 @@ parse_params(const char *params, text paramstr)`
`154`	`154`	`}`
`155`	`155`	`else`
`156`	`156`	`{`
`157`		`- params[i] = NULL;`
	`157`	`+ /* No equal sign, so ignore this "parameter" */`
	`158`	`+ /* We'll reset params[i] to NULL below the loop */`
`158`	`159`	`break;`
`159`	`160`	`}`
`160`	`161`	`/* Value */`
`161`	`162`	`i++;`
	`163`	`+ /* since MAXPARAMS is even, we still have i < MAXPARAMS */`
`162`	`164`	`params[i] = pos;`
`163`	`165`	`pos = strstr(pos, itsep);`
`164`	`166`	`if (pos != NULL)`
`@@ -167,9 +169,11 @@ parse_params(const char *params, text paramstr)`
`167`	`169`	`pos++;`
`168`	`170`	`}`
`169`	`171`	`else`
	`172`	`+ {`
	`173`	`+ i++;`
`170`	`174`	`break;`
`171`		`-`
	`175`	`+ }`
`172`	`176`	`}`
`173`		`- if (i < MAXPARAMS)`
`174`		`- params[i + 1] = NULL;`
	`177`	`+`
	`178`	`+ params[i] = NULL;`
`175`	`179`	`}`