diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2020-11-01 18:38:42 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2020-11-01 18:38:42 -0500 |
| commit | dfc797730fc7a07c0e6bd636ad1a564aecab3161 (patch) | |
| tree | 3292c03f44613d85646e0e1cdd5d10278612943b /src/backend/access/transam/commit_ts.c | |
| parent | 7f4235032f0d75ea1ad29b192d57fee3d8fe533e (diff) | |
| download | postgresql-dfc797730fc7a07c0e6bd636ad1a564aecab3161.tar.gz postgresql-dfc797730fc7a07c0e6bd636ad1a564aecab3161.zip | |
Fix two issues in TOAST decompression.
pglz_maximum_compressed_size() potentially underestimated the amount
of compressed data required to produce N bytes of decompressed data;
this is a fault in commit 11a078cf8.
Separately from that, pglz_decompress() failed to protect itself
against corrupt compressed data, particularly off == 0 in a match
tag. Commit c60e520f6 turned such a situation into an infinite loop,
where before it'd just have resulted in garbage output.
The combination of these two bugs seems like it may explain bug #16694
from Tom Vijlbrief, though it's impossible to be quite sure without
direct inspection of the failing session. (One needs to assume that
the pglz_maximum_compressed_size() bug caused us to fail to fetch the
second byte of a match tag, and what happened to be there instead was
a zero. The reported infinite loop is hard to explain without off == 0,
though.)
Aside from fixing the bugs, rewrite associated comments for more
clarity.
Back-patch to v13 where both these commits landed.
Discussion: https://postgr.es/m/16694-f107871e499ec114@postgresql.org
Diffstat (limited to 'src/backend/access/transam/commit_ts.c')
0 files changed, 0 insertions, 0 deletions