Avoid possibly accessing off the end of memory in SJIS2004 conversion.

tglsfdc · tglsfdc · commit 623f77e9d133 · 2011-09-06T14:50:28.000-04:00
The code in shift_jis_20042euc_jis_2004() would fetch two bytes even when
only one remained in the string.  Since conversion functions aren't
supposed to assume null-terminated input, this poses a small risk of
fetching past the end of memory and incurring SIGSEGV.  No such crash has
been identified in the field, but we've certainly seen the equivalent
happen in other code paths, so patch this one all the way back.

Report and patch by Noah Misch.
diff --git a/src/backend/utils/mb/conversion_procs/euc2004_sjis2004/euc2004_sjis2004.c b/src/backend/utils/mb/conversion_procs/euc2004_sjis2004/euc2004_sjis2004.c
@@ -218,8 +218,7 @@ get_ten(int b, int *ku)
 static void
 shift_jis_20042euc_jis_2004(const unsigned char *sjis, unsigned char *p, int len)
 {
-	int			c1,
-				c2;
+	int			c1;
 	int			ku,
 				ten,
 				kubun;
@@ -229,7 +228,6 @@ shift_jis_20042euc_jis_2004(const unsigned char *sjis, unsigned char *p, int len
 	while (len > 0)
 	{
 		c1 = *sjis;
-		c2 = sjis[1];
 
 		if (!IS_HIGHBIT_SET(c1))
 		{
@@ -245,7 +243,7 @@ shift_jis_20042euc_jis_2004(const unsigned char *sjis, unsigned char *p, int len
 
 		l = pg_encoding_verifymb(PG_SHIFT_JIS_2004, (const char *) sjis, len);
 
-		if (l < 0)
+		if (l < 0 || l > len)
 			report_invalid_encoding(PG_SHIFT_JIS_2004,
 									(const char *) sjis, len);
 
@@ -257,6 +255,8 @@ shift_jis_20042euc_jis_2004(const unsigned char *sjis, unsigned char *p, int len
 		}
 		else if (l == 2)
 		{
+			int			c2 = sjis[1];
+
 			plane = 1;
 			ku = 1;
 			ten = 1;

Original file line number	Diff line number	Diff line change
`@@ -218,8 +218,7 @@ get_ten(int b, int *ku)`
`218`	`218`	`static void`
`219`	`219`	`shift_jis_20042euc_jis_2004(const unsigned char sjis, unsigned char p, int len)`
`220`	`220`	`{`
`221`		`- int c1,`
`222`		`- c2;`
	`221`	`+ int c1;`
`223`	`222`	`int ku,`
`224`	`223`	`ten,`
`225`	`224`	`kubun;`
`@@ -229,7 +228,6 @@ shift_jis_20042euc_jis_2004(const unsigned char sjis, unsigned char p, int len`
`229`	`228`	`while (len > 0)`
`230`	`229`	`{`
`231`	`230`	`c1 = *sjis;`
`232`		`- c2 = sjis[1];`
`233`	`231`
`234`	`232`	`if (!IS_HIGHBIT_SET(c1))`
`235`	`233`	`{`
`@@ -245,7 +243,7 @@ shift_jis_20042euc_jis_2004(const unsigned char sjis, unsigned char p, int len`
`245`	`243`
`246`	`244`	`l = pg_encoding_verifymb(PG_SHIFT_JIS_2004, (const char *) sjis, len);`
`247`	`245`
`248`		`- if (l < 0)`
	`246`	`+ if (l < 0 \|\| l > len)`
`249`	`247`	`report_invalid_encoding(PG_SHIFT_JIS_2004,`
`250`	`248`	`(const char *) sjis, len);`
`251`	`249`
`@@ -257,6 +255,8 @@ shift_jis_20042euc_jis_2004(const unsigned char sjis, unsigned char p, int len`
`257`	`255`	`}`
`258`	`256`	`else if (l == 2)`
`259`	`257`	`{`
	`258`	`+ int c2 = sjis[1];`
	`259`	`+`
`260`	`260`	`plane = 1;`
`261`	`261`	`ku = 1;`
`262`	`262`	`ten = 1;`