Fix potential buffer overrun in cube_out(), per report from

Bruno Wolff.

diff --git a/contrib/cube/cube.c b/contrib/cube/cube.c
index c97e86d3b408c524a2392152e78c1b8abf9813d3..b0b479016a78ae55bda3c42326d39e9ae4768700 100644 (file)
--- a/contrib/cube/cube.c
+++ b/contrib/cube/cube.c
@@ -10,6 +10,7 @@
 
 #include "access/gist.h"
 #include "access/rtree.h"
+#include "lib/stringinfo.h"
 #include "utils/elog.h"
 #include "utils/palloc.h"
 #include "utils/builtins.h"
@@ -107,47 +108,43 @@ cube_in(char *str)
  *    char *out_func(char *);
  */
 char *
-cube_out(NDBOX * cube)
+cube_out(NDBOX *cube)
 {
-   char       *result;
-   char       *p;
-   int         equal = 1;
+   StringInfoData buf;
+   bool        equal = true;
    int         dim = cube->dim;
    int         i;
 
-   if (cube == NULL)
-       return (NULL);
-
-   p = result = (char *) palloc(100);
+   initStringInfo(&buf);
 
    /*
     * while printing the first (LL) corner, check if it is equal to the
-    * scond one
+    * second one
     */
-   p += sprintf(p, "(");
+   appendStringInfoChar(&buf, '(');
    for (i = 0; i < dim; i++)
    {
-       p += sprintf(p, "%g", cube->x[i]);
-       p += sprintf(p, ", ");
+       if (i > 0)
+           appendStringInfo(&buf, ", ");
+       appendStringInfo(&buf, "%g", cube->x[i]);
        if (cube->x[i] != cube->x[i + dim])
-           equal = 0;
+           equal = false;
    }
-   p -= 2;                     /* get rid of the last ", " */
-   p += sprintf(p, ")");
+   appendStringInfoChar(&buf, ')');
 
    if (!equal)
    {
-       p += sprintf(p, ",(");
-       for (i = dim; i < dim * 2; i++)
+       appendStringInfo(&buf, ",(");
+       for (i = 0; i < dim; i++)
        {
-           p += sprintf(p, "%g", cube->x[i]);
-           p += sprintf(p, ", ");
+           if (i > 0)
+               appendStringInfo(&buf, ", ");
+           appendStringInfo(&buf, "%g", cube->x[i + dim]);
        }
-       p -= 2;
-       p += sprintf(p, ")");
+       appendStringInfoChar(&buf, ')');
    }
 
-   return (result);
+   return buf.data;
 }
 
 

diff --git a/contrib/cube/cube.sql.in b/contrib/cube/cube.sql.in
index 66993e4cb69c9759bed05b0ed1f4a8aba24b685d..0637fbedfd9e4d6e826175dc397083539be9444e 100644 (file)
--- a/contrib/cube/cube.sql.in
+++ b/contrib/cube/cube.sql.in
@@ -8,12 +8,12 @@ SET search_path = public;
 CREATE FUNCTION cube_in(opaque)
 RETURNS opaque
 AS 'MODULE_PATHNAME'
-LANGUAGE 'c';
+LANGUAGE 'c' WITH (isStrict);
 
 CREATE FUNCTION cube_out(opaque)
 RETURNS opaque
 AS 'MODULE_PATHNAME'
-LANGUAGE 'c';
+LANGUAGE 'c' WITH (isStrict);
 
 CREATE TYPE cube (
 internallength = variable,