Fixed access to uninit'd mem in repack_indexdef

dvarrazzo · dvarrazzo · commit 109689586ef0 · 2013-04-22T00:48:53.000+01:00
If the tablespace is the last token in the indexdef, skip_ident returns a
pointer *after* the term zero, so garbage may end up after the statement.
diff --git a/lib/repack.c b/lib/repack.c
@@ -662,12 +662,13 @@ repack_indexdef(PG_FUNCTION_ARGS)
 		else
 		{
 			/* tablespace is to replace */
-			char *tmp;
+			char *tmp, *limit;
+			limit = strchr(stmt.options, '\0');
 			tmp = skip_const(index, stmt.options, " TABLESPACE", NULL);
 			appendStringInfoString(&str, stmt.options);
 			appendStringInfo(&str, " %s", NameStr(*tablespace));
 			tmp = skip_ident(index, tmp);
-			if (*tmp)
+			if (tmp < limit)
 				appendStringInfo(&str, " %s", tmp);
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -662,12 +662,13 @@ repack_indexdef(PG_FUNCTION_ARGS)`
`662`	`662`	`else`
`663`	`663`	`{`
`664`	`664`	`/* tablespace is to replace */`
`665`		`- char *tmp;`
	`665`	`+ char tmp, limit;`
	`666`	`+ limit = strchr(stmt.options, '\0');`
`666`	`667`	`tmp = skip_const(index, stmt.options, " TABLESPACE", NULL);`
`667`	`668`	`appendStringInfoString(&str, stmt.options);`
`668`	`669`	`appendStringInfo(&str, " %s", NameStr(*tablespace));`
`669`	`670`	`tmp = skip_ident(index, tmp);`
`670`		`- if (*tmp)`
	`671`	`+ if (tmp < limit)`
`671`	`672`	`appendStringInfo(&str, " %s", tmp);`
`672`	`673`	`}`
`673`	`674`	`}`