Fix unsafe use of strtol() on a non-null-terminated Text datum.

jsonb_set() could produce wrong answers or incorrect error reports, or in
the worst case even crash, when trying to convert a path-array element into
an integer for use as an array subscript.  Per report from Vitaly Burovoy.
Back-patch to 9.5 where the faulty code was introduced (in commit
c6947010ceb42143).

Michael Paquier

diff --git a/src/backend/utils/adt/jsonfuncs.c b/src/backend/utils/adt/jsonfuncs.c
index a4842cbcd83895ff576c49600b4dfa52824f8a3f..6cf2b783e6dee5ac7a192782b282525a8c057f65 100644 (file)
--- a/src/backend/utils/adt/jsonfuncs.c
+++ b/src/backend/utils/adt/jsonfuncs.c
@@ -3873,7 +3873,7 @@ setPathArray(JsonbIterator **it, Datum *path_elems, bool *path_nulls,
    /* pick correct index */
    if (level < path_len && !path_nulls[level])
    {
-       char       *c = VARDATA_ANY(path_elems[level]);
+       char       *c = TextDatumGetCString(path_elems[level]);
        long        lindex;
 
        errno = 0;