Re: BUG #16050: Server crash on CREATE TEXT SEARCH DICTIONARY with awrong AffFile

On Fri, Oct 11, 2019 at 03:05:38PM +0000, PG Bug reporting form wrote:
>The following bug has been logged on the website:
>
>Bug reference:      16050
>Logged by:          Alexander Lakhin
>Email address:      exclusion@gmail.com
>PostgreSQL version: 12.0
>Operating system:   Ubuntu 18.04
>Description:
>
>The following query:
>CREATE TEXT SEARCH DICTIONARY hunspell_num (Template=ispell,
>DictFile=hunspell_sample_num, AffFile=hunspell_sample_long);
>
>crashes postgres with the stack trace:
>Core was generated by `postgres: law regression [local] CREATE TEXT SEARCH
>DICTIONARY                '.

Yep, I can reproduce it quite easily. With extra debug symbols and
memory randomization it produces a bit clearer backtrace:


Program received signal SIGSEGV, Segmentation fault.
0x00000000008fd31b in getCompoundAffixFlagValue (Conf=0x2d053c8, s=0x7f7f7f7f7f7f7f7f <error: Cannot access memory at
address0x7f7f7f7f7f7f7f7f>) at spell.c:1126
 
1126        while (*flagcur)
(gdb) bt
#0  0x00000000008fd31b in getCompoundAffixFlagValue (Conf=0x2d053c8, s=0x7f7f7f7f7f7f7f7f <error: Cannot access memory
ataddress 0x7f7f7f7f7f7f7f7f>) at spell.c:1126
 
#1  0x00000000008fe627 in makeCompoundFlags (Conf=0x2d053c8, affix=303) at spell.c:1608
#2  0x00000000008fe959 in mkSPNode (Conf=0x2d053c8, low=0, high=1, level=3) at spell.c:1680
#3  0x00000000008fea1e in mkSPNode (Conf=0x2d053c8, low=0, high=1, level=2) at spell.c:1692
#4  0x00000000008fe794 in mkSPNode (Conf=0x2d053c8, low=0, high=4, level=1) at spell.c:1652
#5  0x00000000008fe794 in mkSPNode (Conf=0x2d053c8, low=0, high=9, level=0) at spell.c:1652
...

That is, makeCompontFlags calls getCompoundAffixFlagValue with invalid
pointer 's', likely after it got already pfreed.

cheers

-- 
Tomas Vondra                  http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services