[postgis-tickets] [PostGIS] #5114: pgsql2shp segfault with long or many truncated columns

Tue Mar 8 16:50:44 PST 2022

#5114: pgsql2shp segfault with long or many truncated columns
---------------------+---------------------------
 Reporter:  dfuhry2  |      Owner:  pramsey
     Type:  defect   |     Status:  new
 Priority:  medium   |  Milestone:  PostGIS 3.2.2
Component:  postgis  |    Version:  2.3.x
 Keywords:           |
---------------------+---------------------------
 I experienced this in a real-world query, but a short reproducible test
 case of pgsql2shp segfault is below.
 I think the problem may be state->message overflowing with messages about
 the truncated columns. As a workaround, raising SHPLOADERMSGLEN from 1024
 to 8192 caused pgsql2shp to complete successfully. But I assume some
 bounds checking is needed to prevent the overflow from occurring in the
 first place.
 This is against 2.5.3. Sorry to report against an old version, but I did
 not find a bug report for this against any newer version either.

 {{{
 gdb --args ./pgsql2shp -p 5434 -f test.shp dfuhry 'SELECT 1 AS
 abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijk, 2 AS
 bcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijkl, 3 AS
 cdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklm, 4 AS
 defghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmn, 5 as
 efghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmno, 6 AS
 fghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnop, 7 AS
 ghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopq, 8 AS
 hijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqr, 9 AS
 ijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrs, 10 AS
 jklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrst'
 ...
 (gdb) r
 ...
 Initializing...
 *** buffer overflow detected ***: terminated

 Program received signal SIGABRT, Aborted.
 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
 (gdb) bt
 #0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 #1  0x00007ffff7d74537 in __GI_abort () at abort.c:79
 #2  0x00007ffff7dcd768 in __libc_message (action=action at entry=do_abort,
 fmt=fmt at entry=0x7ffff7edbc24 "*** %s ***: terminated\n") at
 ../sysdeps/posix/libc_fatal.c:155
 #3  0x00007ffff7e5c652 in __GI___fortify_fail
 (msg=msg at entry=0x7ffff7edbbba "buffer overflow detected") at
 fortify_fail.c:26
 #4  0x00007ffff7e5b050 in __GI___chk_fail () at chk_fail.c:28
 #5  0x00007ffff7e5a999 in __strncat_chk (s1=<optimized out>,
     s1 at entry=0x55555559b068 "Warning, field
 abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijk renamed to
 ABCDEFGHIJ\nWarning, field
 bcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijkl renamed to
 BCDEFGHIJ"..., s2=<optimized out>,
     s2 at entry=0x7fffffffdd00 "No geometry column found.\nThe DBF file will
 be created but not the shx or shp files.\n", n=<optimized out>,
 s1len=<optimized out>, s1len at entry=1024) at strncat_chk.c:33
 #6  0x0000555555562c11 in strncat (__len=<optimized out>,
 __src=0x7fffffffdd00 "No geometry column found.\nThe DBF file will be
 created but not the shx or shp files.\n",
     __dest=0x55555559b068 "Warning, field
 abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijk renamed to
 ABCDEFGHIJ\nWarning, field
 bcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijkl renamed to
 BCDEFGHIJ"...)
     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136
 #7  ShpDumperOpenTable (state=state at entry=0x55555559afb0) at pgsql2shp-
 core.c:1837
 #8  0x000055555555774f in main (argc=<optimized out>, argv=<optimized
 out>) at pgsql2shp-cli.c:191
 }}}

-- 
Ticket URL: <https://trac.osgeo.org/postgis/ticket/5114>
PostGIS <http://trac.osgeo.org/postgis/>
The PostGIS Trac is used for bug, enhancement & task tracking, a user and developer wiki, and a view into the subversion code repository of PostGIS project.