Shane Ambler <pgsql@007Marketing.com> writes:
> Tom Lane wrote:
>> Hm, so the question is: is it our bug or Apple's? If you kept the
>> busted history file, would you be willing to send me a copy?
> The zip file attached has the psql_history file that crashes when
> quiting but doesn't appear to contain the steps I done when it first
> crashed.
So the answer is: it's Apple's bug, or at least not ours. libedit
contains a typo that causes it to potentially fail when saving strings
exceeding 256 bytes. Check out this code (around line 730 in history.c):
len = strlen(ev.str) * 4; if (len >= max_size) { char *nptr; max_size = (len + 1023) & 1023;
nptr = h_realloc(ptr, max_size);
I think the intent of the max_size recalculation is to select the next
1K boundary larger than "len", but it actually produces a number *less*
than 1K. Probably "(len + 1023) & ~1023" was meant ... but even that
is wrong if len is exactly a multiple of 1024, because it will fail to
round up. So the buffer is realloc'd too small, and that results in
a potential memory clobber if the history entry is less than 1K, and a
guaranteed clobber if it's more.
The source code available from Apple shows that they got this code from
NetBSD originally
/* $NetBSD: history.c,v 1.25 2003/10/18 23:48:42 christos Exp $ */
so this may well be a pretty generic *BSD bug. Anyone clear on who to
report it to? I have no idea if libedit is an independent project...
regards, tom lane