[postgis-tickets] [PostGIS] #4237: gidx_merge may store uninitialized memory
PostGIS
trac at osgeo.org
Wed Nov 14 09:23:37 PST 2018
#4237: gidx_merge may store uninitialized memory
------------------------+---------------------------
Reporter: Algunenano | Owner: pramsey
Type: defect | Status: new
Priority: high | Milestone: PostGIS 3.0.0
Component: postgis | Version: trunk
Keywords: |
------------------------+---------------------------
Detected with the memory sanitizer, so take it with a grain of salt:
{{{
value was stored to memory at
0x56464e28e2c5 in main
/usr/src/debug/postgres/src/backend/main/main.c:228:3
0x7f814fbac222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
0x7f80433baf07 in gidx_merge
/home/raul/dev/public/postgis/postgis/gserialized_gist_nd.c:196:3
0x7f80433baf07 in gserialized_gist_picksplit_addlist
/home/raul/dev/public/postgis/postgis/gserialized_gist_nd.c:1427
0x7f80433baf07 in gserialized_gist_picksplit
/home/raul/dev/public/postgis/postgis/gserialized_gist_nd.c:1712
0x56464d2cc09d in _start (/usr/bin/postgres+0xf809d)
0x56464f611657 in FunctionCall2Coll
/usr/src/debug/postgres/src/backend/utils/fmgr/fmgr.c:1145:11
}}}
It seems that the loop at
(https://github.com/postgis/postgis/blob/e89dd5b3ab9bbf87adcca196716c27b8636c6711/postgis/gserialized_gist_nd.c#L191)
accesses and stores uninitialized memory when `i >= dims_union`. This
memory was generated in the previous `if` by `repalloc` which, if it's a
wrapper to realloc:
{{{
If the new size is larger than the old size, the added memory will not be
initialized.
}}}
I haven't checked if previous releases are affected too.
--
Ticket URL: <https://trac.osgeo.org/postgis/ticket/4237>
PostGIS <http://trac.osgeo.org/postgis/>
The PostGIS Trac is used for bug, enhancement & task tracking, a user and developer wiki, and a view into the subversion code repository of PostGIS project.
More information about the postgis-tickets
mailing list