diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2007-11-20 23:14:41 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2007-11-20 23:14:41 +0000 |
| commit | d23ba77a440597a99fd6ca90cd2a750cb95be352 (patch) | |
| tree | addcf8b5e1047460110faef8eb4a45215ef36f84 /src/backend/utils/adt/xml.c | |
| parent | 09a98e61c31938a5fb3c5a12b51fcfe08b8b3931 (diff) | |
| download | postgresql-d23ba77a440597a99fd6ca90cd2a750cb95be352.tar.gz postgresql-d23ba77a440597a99fd6ca90cd2a750cb95be352.zip | |
Fix bogus length calculation that could lead to crash if the string
happened to be right up against the end of memory, per report from
Matt Magoffin. While at it, avoid useless multiple copying of string
by not depending on xmlStrncatNew.
Diffstat (limited to 'src/backend/utils/adt/xml.c')
| -rw-r--r-- | src/backend/utils/adt/xml.c | 32 |
1 files changed, 19 insertions, 13 deletions
diff --git a/src/backend/utils/adt/xml.c b/src/backend/utils/adt/xml.c index a453f76bb37..d50c3c0feb0 100644 --- a/src/backend/utils/adt/xml.c +++ b/src/backend/utils/adt/xml.c @@ -7,7 +7,7 @@ * Portions Copyright (c) 1996-2007, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/backend/utils/adt/xml.c,v 1.58 2007/11/15 22:25:16 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/utils/adt/xml.c,v 1.59 2007/11/20 23:14:41 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -1109,12 +1109,14 @@ parse_xml_decl(const xmlChar * str, size_t *lenp, return XML_ERR_STANDALONE_VALUE; p += 1; SKIP_XML_SPACE(p); - if (xmlStrncmp(p, (xmlChar *) "'yes'", 5) == 0 || xmlStrncmp(p, (xmlChar *) "\"yes\"", 5) == 0) + if (xmlStrncmp(p, (xmlChar *) "'yes'", 5) == 0 || + xmlStrncmp(p, (xmlChar *) "\"yes\"", 5) == 0) { *standalone = 1; p += 5; } - else if (xmlStrncmp(p, (xmlChar *) "'no'", 4) == 0 || xmlStrncmp(p, (xmlChar *) "\"no\"", 4) == 0) + else if (xmlStrncmp(p, (xmlChar *) "'no'", 4) == 0 || + xmlStrncmp(p, (xmlChar *) "\"no\"", 4) == 0) { *standalone = 0; p += 4; @@ -3305,6 +3307,8 @@ xpath(PG_FUNCTION_ARGS) (errcode(ERRCODE_DATA_EXCEPTION), errmsg("empty XPath expression"))); + xml_init(); + /* * To handle both documents and fragments, regardless of the fact whether * the XML datum has a single root (XML well-formedness), we wrap the XML @@ -3324,20 +3328,22 @@ xpath(PG_FUNCTION_ARGS) "could not parse XML data"); ++i; - string = xmlStrncatNew((xmlChar *) "<x>", - (xmlChar *) datastr + i, len - i); + + datastr += i; + len -= i; } - else - string = xmlStrncatNew((xmlChar *) "<x>", - (xmlChar *) datastr, len); - string = xmlStrncat(string, (xmlChar *) "</x>", 5); + string = (xmlChar *) palloc((len + 8) * sizeof(xmlChar)); + memcpy(string, "<x>", 3); + memcpy(string + 3, datastr, len); + memcpy(string + 3 + len, "</x>", 5); len += 7; - xpath_expr = xmlStrncatNew((xmlChar *) "/x", - (xmlChar *) VARDATA(xpath_expr_text), xpath_len); - xpath_len += 2; - xml_init(); + xpath_expr = (xmlChar *) palloc((xpath_len + 3) * sizeof(xmlChar)); + memcpy(xpath_expr, "/x", 2); + memcpy(xpath_expr + 2, VARDATA(xpath_expr_text), xpath_len); + xpath_expr[xpath_len + 2] = '\0'; + xpath_len += 2; /* We use a PG_TRY block to ensure libxml parser is cleaned up on error */ PG_TRY(); |