Following function crashes plpython on x86-64 / gcc 4.1.2 / debian 4.0:

  CREATE FUNCTION crashme(str_len integer)
  RETURNS text AS $$
    raise Exception("X" * str_len)
  $$ LANGUAGE plpythonu;

  SELECT crashme(1000);

Problem turns out to be va_list handling in PLy_vprintf() which
uses same va_list repeatedly.  Fix is to va_copy to temp variable.

Additionally the atteched patch fixes 2 more problems in that function:

- its nonsensical to check existing buffer length for >0, instead the
  function result should be checked.  (which for vsnprintf() should
  always be > 0, but maybe there are non-standard systems out there?)

- the * sizeof(char) in malloc() is pointless - even if we want to support
  systems where sizeof(char) != 1, current code is wrong as from by reading
  of manpage, vsnprintf() takes buffer length in bytes but returns chars,
  so the 'blen' must be bytes anyway and the sizeof(char) must be in line:

    blen = bchar + 1;

The function seems to be essentially same since 7.2 so the patch should
apply to all branches.  If you prefer you can apply cleanups to HEAD only.


Attachment: plpy.vprintf.diff
Description: Binary data

---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
       choose an index scan if your joining column's datatypes do not

Reply via email to