Shane Ambler <[EMAIL PROTECTED]> writes:
> Tom Lane wrote:
>> Hm, so the question is: is it our bug or Apple's?  If you kept the
>> busted history file, would you be willing to send me a copy?

> The zip file attached has the psql_history file that crashes when 
> quiting but doesn't appear to contain the steps I done when it first 
> crashed.

So the answer is: it's Apple's bug, or at least not ours.  libedit
contains a typo that causes it to potentially fail when saving strings
exceeding 256 bytes.  Check out this code (around line 730 in history.c):

                len = strlen(ev.str) * 4;
                if (len >= max_size) {
                        char *nptr;
                        max_size = (len + 1023) & 1023;
                        nptr = h_realloc(ptr, max_size);

I think the intent of the max_size recalculation is to select the next
1K boundary larger than "len", but it actually produces a number *less*
than 1K.  Probably "(len + 1023) & ~1023" was meant ... but even that
is wrong if len is exactly a multiple of 1024, because it will fail to
round up.  So the buffer is realloc'd too small, and that results in
a potential memory clobber if the history entry is less than 1K, and a
guaranteed clobber if it's more.

The source code available from Apple shows that they got this code from
NetBSD originally

/*      $NetBSD: history.c,v 1.25 2003/10/18 23:48:42 christos Exp $    */

so this may well be a pretty generic *BSD bug.  Anyone clear on who to
report it to?  I have no idea if libedit is an independent project...

                        regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Reply via email to