contrib/pgbench bugfix

Started by ITAGAKI Takahiroover 19 years ago2 messages

itagaki.takahiro@oss.ntt.co.jp

over 19 years ago

I found a buffer overflow bug in contrib/pgbench.
This occures when -c >= 2.

The type of 'state' is CState*, so we should use state+1 or &state[1],
not state + sizeof(*state)

*** pgbench.c	Mon Jul 31 13:18:45 2006
--- pgbench.fixed.c	Mon Jul 31 13:18:10 2006
*************** main(int argc, char **argv)
*** 1344,1350 ****
  			exit(1);
  		}

! memset(state + sizeof(*state), 0, sizeof(*state) * (nclients - 1));

  		for (i = 1; i < nclients; i++)
  		{
--- 1344,1350 ----
  			exit(1);
  		}

! memset(state + 1, 0, sizeof(*state) * (nclients - 1));

for (i = 1; i < nclients; i++)
{

Regards,
---
ITAGAKI Takahiro
NTT Open Source Software Center

Tatsuo Ishii

ishii@sraoss.co.jp

over 19 years ago

In reply to: ITAGAKI Takahiro (#1)

Re: contrib/pgbench bugfix

Good catch!

Thanks. I have committed your fix.
--
Tatsuo Ishii
SRA OSS, Inc. Japan

Show quoted text

I found a buffer overflow bug in contrib/pgbench.
This occures when -c >= 2.

The type of 'state' is CState*, so we should use state+1 or &state[1],
not state + sizeof(*state)
*** pgbench.c	Mon Jul 31 13:18:45 2006
--- pgbench.fixed.c	Mon Jul 31 13:18:10 2006
*************** main(int argc, char **argv)
*** 1344,1350 ****
exit(1);
}
! memset(state + sizeof(*state), 0, sizeof(*state) * (nclients - 1));
for (i = 1; i < nclients; i++)
{
--- 1344,1350 ----
exit(1);
}
! memset(state + 1, 0, sizeof(*state) * (nclients - 1));

for (i = 1; i < nclients; i++)
{

Regards,
---
ITAGAKI Takahiro
NTT Open Source Software Center

---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq