[postgis-devel] Issue 43 in postgis: [PATCH] Heap over-read in compute_geometry_stats()

codesite-noreply at google.com codesite-noreply at google.com
Mon Jul 14 15:23:01 PDT 2008 

Issue 43: [PATCH] Heap over-read in compute_geometry_stats()
http://code.google.com/p/postgis/issues/detail?id=43

New issue report by landon.j.fuller:
What steps will reproduce the problem?

- We saw SIGSEGVs occurring during all vacuums of a database containing the
TIGER2007FE dataset (~56 gigs).

The SIGSEGV occurs when the allocator returns a buffer that ends directly
prior to a page-aligned address, and the next page is unmapped. The code
reads past the end of the allocated buffer, and triggers the SIGSEGV on the
unmapped page

What version of the product are you using? On what operating system?

PostGIS 1.3.3 on FreeBSD 7.0/amd64.

Please provide any additional information below.

I tracked this issue down to compute_geometry_stats(), where a BOX2DFLOAT4
struct is heap allocated:
    sampleboxes[notnull_cnt] = palloc(sizeof(BOX2DFLOAT4));

And then later, copied to another palloced buffer:
    BOX2DFLOAT4 *box;
    box = (BOX2DFLOAT4 *)sampleboxes[i];
    ...
    newhistobox = palloc(sizeof(BOX));
    memcpy(newhistobox, box, sizeof(BOX));

sizeof(BOX) is used, however both the source and destination are
BOX2DFLOAT4 structs. While the newly allocated destination buffer is large
enough to hold sizeof(BOX), the source buffer, allocated using
sizeof(BOX2DFLOAT4), is not:

    sizeof(BOX) == 32
    sizeof(BOX2DFLOAT4) == 16

This leads to memcpy reading beyond the end of source box in the 
memcpy. If
the address past the source box was invalid, SIGSEGV resulted -- otherwise,
junk data was copied and left unused.

I've attached patches for both trunk and 1.3.3. With the patch in place,
vacuum completes successfully.


Attachments:
	patch-compute_geometry_stats-trunk.diff  512 bytes
	patch-compute_geometry_stats-1_3_3.diff  514 bytes


Issue attributes:
	Status: New
	Owner: ----
	Labels: Type-Defect Priority-Medium

-- 
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

More information about the postgis-devel mailing list