At Tue, 26 Jan 2021 07:00:00 +0000, PG Bug reporting form <noreply@postgresql.org> wrote in
> When executing in psql (under valgrind):
> \h\
>
> valgrind detects the following error:
> ==00:00:00:00.000 3226182==
> ==00:00:00:04.045 3226182== Conditional jump or move depends on
> uninitialised value(s)
> ==00:00:00:04.045 3226182== at 0x1396CB: helpSQL (help.c:600)
> ==00:00:00:04.045 3226182== by 0x120705: exec_command_help
> (command.c:1507)
> ==00:00:00:04.045 3226182== by 0x1252CD: exec_command (command.c:351)
> ==00:00:00:04.045 3226182== by 0x1258A3: HandleSlashCmds
> (command.c:222)
This is reproducible on master HEAD. helpSQL assumes that the first
word is longer than two characters and the second word exists. It also
doesn't care overruns. Addition to those issues, it miscounts the
length of the first two words if the third word exists.
=# \h ALTER VIEX HOGE
<prints help only of "ALTER VIEW"!, not of "ALTER *">
> if (x > 1) /* Nothing on first pass - try the opening
> * word(s) */
> {
> wordlen = j = 1;
!> while (topic[j] != ' ' && j++ < len)
> wordlen++;
> if (x == 2)
> {
> j++;
!> while (topic[j] != ' ' && j++ <= len)
> wordlen++;
> }
So we should check j before accessing topic[j] and count the length
correctly. The attached fixes that. This seems to be very old code.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
diff --git a/src/bin/psql/help.c b/src/bin/psql/help.c
index 4883ebd2ed..54fe099ad7 100644
--- a/src/bin/psql/help.c
+++ b/src/bin/psql/help.c
@@ -592,12 +592,12 @@ helpSQL(const char *topic, unsigned short int pager)
* word(s) */
{
wordlen = j = 1;
- while (topic[j] != ' ' && j++ < len)
+ while (j < len && topic[j++] != ' ')
wordlen++;
- if (x == 2)
+ if (x == 2 && j < len)
{
- j++;
- while (topic[j] != ' ' && j++ <= len)
+ wordlen++;
+ while (j < len && topic[j++] != ' ')
wordlen++;
}
if (wordlen >= len) /* Don't try again if the same word */