Ranier Vilela <ranier.vf@gmail.com> writes:
> While I working in [1], Coverity reported some errors:
> src/bin/pg_basebackup/pg_createsubscriber.c
> CID 1542690: (#1 of 2): Out-of-bounds access (OVERRUN)
> alloc_strlen: Allocating insufficient memory for the terminating null of
> the string. [Note: The source code implementation of the function has been
> overridden by a builtin model.]
> CID 1542690: (#2 of 2): Out-of-bounds access (OVERRUN)
> alloc_strlen: Allocating insufficient memory for the terminating null of
> the string. [Note: The source code implementation of the function has been
> overridden by a builtin model.]
Yeah, we saw that in the community run too. I'm tempted to call it
an AI hallucination. The "Note" seems to mean that they're not
actually analyzing our code but some made-up substitute.
> The source of errors is the function PQescapeInternal.
> The slow path has bugs when num_quotes or num_backslashes are greater than
> zero.
> For each num_quotes or num_backslahes we need to allocate two more.
Nonsense. The quote or backslash is already counted in input_len,
so we need to add just one more.
If there were anything wrong here, I'm quite sure our testing under
e.g. valgrind would have caught it years ago. However, just to be
sure, I tried adding an Assert that the allocated space is filled
exactly, as attached. It gets through check-world just fine.
regards, tom lane
diff --git a/src/interfaces/libpq/fe-exec.c b/src/interfaces/libpq/fe-exec.c
index c02a9180b2..43a4ce0458 100644
--- a/src/interfaces/libpq/fe-exec.c
+++ b/src/interfaces/libpq/fe-exec.c
@@ -4255,7 +4255,9 @@ PQescapeInternal(PGconn *conn, const char *str, size_t len, bool as_ident)
/* Closing quote and terminating NUL. */
*rp++ = quote_char;
- *rp = '\0';
+ *rp++ = '\0';
+
+ Assert(rp == result + result_size);
return result;
}