Fix buffer overrun in isolation test program.

Commit 061b88c732952c59741374806e1e41c1ec845d50 saved argv0 to a global buffer without ensuring that it was zero terminated, allowing references to it to overrun the buffer and access other memory. This probably would not have presented any security risk, but could have resulted in very confusing failures if the path to the executable was very long. Reported by David Rowley
2013-11-15 08:27:42 -06:00 · 2013-11-15 08:27:42 -06:00 · 7cb964acb7
commit 7cb964acb7
parent 71dd54ada9
1 changed files with 9 additions and 1 deletions
--- a/src/test/isolation/isolation_main.c
+++ b/src/test/isolation/isolation_main.c
@ -98,6 +98,8 @@ isolation_start_test(const char *testname,
 static void
 isolation_init(int argc, char **argv)
 {
+	size_t		argv0_len;
+
 	/*
 	 * We unfortunately cannot do the find_other_exec() lookup to find the
 	 * "isolationtester" binary here.  regression_main() calls the
@ -107,7 +109,13 @@ isolation_init(int argc, char **argv)
 	 * does to fail since it's linked to libpq.  So we instead copy argv[0]
 	 * and do the lookup the first time through isolation_start_test().
 	 */
-	strncpy(saved_argv0, argv[0], MAXPGPATH);
+	argv0_len = strlcpy(saved_argv0, argv[0], MAXPGPATH);
+	if (argv0_len >= MAXPGPATH)
+	{
+		fprintf(stderr, _("path for isolationtester executable is longer than %i bytes\n"),
+				(int) (MAXPGPATH - 1));
+		exit(2);
+	}

 	/* set default regression database name */
 	add_stringlist_item(&dblist, "isolationtest");