Re: pg17.3 PQescapeIdentifier() ignores len

Ranier Vilela <ranier.vf@gmail.com>

From: Ranier Vilela <ranier.vf@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Justin Pryzby <pryzby@telsasoft.com>, pgsql-hackers@lists.postgresql.org
Date: 2025-02-13T19:19:36Z
Lists: pgsql-hackers
Em qui., 13 de fev. de 2025 às 16:05, Tom Lane <tgl@sss.pgh.pa.us> escreveu:

> Ranier Vilela <ranier.vf@gmail.com> writes:
> > Interesting, Coverity has some new reports regarding PQescapeIdentifier.
>
> > CID 1591290: (#1 of 1): Out-of-bounds access (OVERRUN)
> > 2. alloc_strlen: Allocating insufficient memory for the terminating null
> of
> > the string. [Note: The source code implementation of the function has
> been
> > overridden by a builtin model.]
>
> That's not new, we've been seeing those for awhile.  I've been
> ignoring them on the grounds that (a) if the code actually had such a
> problem, valgrind testing would have found it, and (b) the message is
> saying in so many words that they're ignoring our code in favor of
> somebody's apparently-inaccurate model of said code.
>
Thanks Tom, extra care is needed when analyzing these reports.

best regards,
Ranier Vilela

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Fix PQescapeLiteral()/PQescapeIdentifier() length handling