diff options
| author | Tom Lane | 2024-11-17 19:14:06 +0000 |
|---|---|---|
| committer | Tom Lane | 2024-11-17 19:14:06 +0000 |
| commit | df1a2633b11a3d3738eb614f17a0ea5bae719950 (patch) | |
| tree | 27ecfe2b49ee2a18569e7a0335dd6ff675778f12 | |
| parent | 290154105ce2397200a7109c7338d73cfdba6106 (diff) | |
Fix recently-exposed portability issue in regex optimization.
fixempties() counts the number of in-arcs in the regex NFA and then
allocates an array of that many arc pointers. If the NFA contains no
arcs, this amounts to malloc(0) for which some platforms return NULL.
The code mistakenly treats that as indicating out-of-memory. Thus,
we can get a bogus "out of memory" failure for some unsatisfiable
regexes.
This happens only in v15 and earlier, since bea3d7e38 switched to
using palloc() rather than bare malloc(). And at least of the
platforms in the buildfarm, only AIX seems to return NULL. So the
impact is pretty narrow. But I don't especially want to ship code
that is failing its own regression tests, so let's fix this for
this week's releases.
A quick code survey says that there is only the one place in
src/backend/regex/ that is at risk of doing malloc(0), so we'll just
band-aid that place. A more future-proof fix could be to install a
malloc() wrapper similar to pg_malloc(). But this code seems unlikely
to change much more in the affected branches, so that's probably
overkill.
The only known test case for this involves a complemented character
class in a bracket expression, for example [^\s\S], and we didn't
support that in v13. So it may be that the problem is unreachable
in v13. But I'm not 100% sure of that, so patch v13 too.
Discussion: https://postgr.es/m/[email protected]
| -rw-r--r-- | src/backend/regex/regc_nfa.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/backend/regex/regc_nfa.c b/src/backend/regex/regc_nfa.c index 82409b46327..7ab488984f5 100644 --- a/src/backend/regex/regc_nfa.c +++ b/src/backend/regex/regc_nfa.c @@ -2172,9 +2172,12 @@ fixempties(struct nfa *nfa, * current target state. totalinarcs is probably a considerable * overestimate of the space needed, but the NFA is unlikely to be large * enough at this point to make it worth being smarter. + * + * Note: totalinarcs could be zero, and some machines return NULL for + * malloc(0). Don't throw an error if so. */ arcarray = (struct arc **) MALLOC(totalinarcs * sizeof(struct arc *)); - if (arcarray == NULL) + if (arcarray == NULL && totalinarcs != 0) { NERR(REG_ESPACE); FREE(inarcsorig); |