Opened 6 years ago
Closed 6 years ago
#4237 closed defect (duplicate)
gidx_merge may store uninitialized memory
| Reported by: | Algunenano | Owned by: | Algunenano |
|---|---|---|---|
| Priority: | high | Milestone: | PostGIS 2.2.8 |
| Component: | postgis | Version: | master |
| Keywords: | Cc: |
Description
Detected with the memory sanitizer, so take it with a grain of salt:
value was stored to memory at 0x56464e28e2c5 in main /usr/src/debug/postgres/src/backend/main/main.c:228:3 0x7f814fbac222 in __libc_start_main (/usr/lib/libc.so.6+0x24222) 0x7f80433baf07 in gidx_merge /home/raul/dev/public/postgis/postgis/gserialized_gist_nd.c:196:3 0x7f80433baf07 in gserialized_gist_picksplit_addlist /home/raul/dev/public/postgis/postgis/gserialized_gist_nd.c:1427 0x7f80433baf07 in gserialized_gist_picksplit /home/raul/dev/public/postgis/postgis/gserialized_gist_nd.c:1712 0x56464d2cc09d in _start (/usr/bin/postgres+0xf809d) 0x56464f611657 in FunctionCall2Coll /usr/src/debug/postgres/src/backend/utils/fmgr/fmgr.c:1145:11
It seems that the loop at (https://github.com/postgis/postgis/blob/e89dd5b3ab9bbf87adcca196716c27b8636c6711/postgis/gserialized_gist_nd.c#L191) accesses and stores uninitialized memory when i >= dims_union. This memory was generated in the previous if by repalloc which, if it's a wrapper to realloc:
If the new size is larger than the old size, the added memory will not be initialized.
I haven't checked if previous releases are affected too.
Change History (3)
comment:1 by , 6 years ago
| Milestone: | PostGIS 3.0.0 → PostGIS 2.2.8 |
|---|---|
| Owner: | changed from to |
comment:2 by , 6 years ago
This could be related to the issue reported in #4139
Nevertheless, fixing the invalid write when the box final box has more dimensions than originally doesn't fix those tests and the memory sanitizer warning is still there, so it needs more investigation.
comment:3 by , 6 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
This was finally addressed by #4139
All supported releases are affected.