Fix buffer overrun in isolation test program.

Commit 061b88c732952c59741374806e1e41c1ec845d50 saved argv0 to a
global buffer without ensuring that it was zero terminated,
allowing references to it to overrun the buffer and access other
memory.  This probably would not have presented any security risk,
but could have resulted in very confusing failures if the path to
the executable was very long.

Reported by David Rowley

1 files changed, 9 insertions, 1 deletions

diff --git a/src/test/isolation/isolation_main.c b/src/test/isolation/isolation_main.c
index 94f01b81d34..78604375abc 100644
--- a/src/test/isolation/isolation_main.c
+++ b/src/test/isolation/isolation_main.c
@@ -98,6 +98,8 @@ isolation_start_test(const char *testname,
 static void
 isolation_init(int argc, char **argv)
 {
+	size_t		argv0_len;
+
 	/*
 	 * We unfortunately cannot do the find_other_exec() lookup to find the
 	 * "isolationtester" binary here.  regression_main() calls the
@@ -107,7 +109,13 @@ isolation_init(int argc, char **argv)
 	 * does to fail since it's linked to libpq.  So we instead copy argv[0]
 	 * and do the lookup the first time through isolation_start_test().
 	 */
-	strncpy(saved_argv0, argv[0], MAXPGPATH);
+	argv0_len = strlcpy(saved_argv0, argv[0], MAXPGPATH);
+	if (argv0_len >= MAXPGPATH)
+	{
+		fprintf(stderr, _("path for isolationtester executable is longer than %i bytes\n"),
+				(int) (MAXPGPATH - 1));
+		exit(2);
+	}
 
 	/* set default regression database name */
 	add_stringlist_item(&dblist, "isolationtest");