Unchecked strdup leading to segfault in pg_dump
While looking at something else I noticed that pg_dump performs strdup without
checking the returned pointer, which will segfault in hasSuffix() in case of
OOM. The attached, which should be backpatched to 16, changes to using
pg_strdup instead which handles it.
--
Daniel Gustafsson
Attachments:
pg_dump_strdup.diffapplication/octet-stream; name=pg_dump_strdup.diff; x-unix-mode=0644Download
diff --git a/src/bin/pg_dump/compress_io.c b/src/bin/pg_dump/compress_io.c
index 4fee6e2434..efedc53a17 100644
--- a/src/bin/pg_dump/compress_io.c
+++ b/src/bin/pg_dump/compress_io.c
@@ -249,7 +249,7 @@ InitDiscoverCompressFileHandle(const char *path, const char *mode)
Assert(strcmp(mode, PG_BINARY_R) == 0);
- fname = strdup(path);
+ fname = pg_strdup(path);
if (hasSuffix(fname, ".gz"))
compression_spec.algorithm = PG_COMPRESSION_GZIP;
On Wed Dec 20, 2023 at 8:52 AM CST, Daniel Gustafsson wrote:
While looking at something else I noticed that pg_dump performs strdup without
checking the returned pointer, which will segfault in hasSuffix() in case of
OOM. The attached, which should be backpatched to 16, changes to using
pg_strdup instead which handles it.
Looks good to me.
--
Tristan Partin
Neon (https://neon.tech)
On Wed, Dec 20, 2023 at 09:39:55AM -0600, Tristan Partin wrote:
On Wed Dec 20, 2023 at 8:52 AM CST, Daniel Gustafsson wrote:
While looking at something else I noticed that pg_dump performs strdup without
checking the returned pointer, which will segfault in hasSuffix() in case of
OOM. The attached, which should be backpatched to 16, changes to using
pg_strdup instead which handles it.Looks good to me.
+1
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com