From 5f95521b3a4ede720d8927383d79b11e37b6bc80 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Wed, 23 Mar 2016 10:43:13 -0400 Subject: [PATCH] Fix unsafe use of strtol() on a non-null-terminated Text datum. jsonb_set() could produce wrong answers or incorrect error reports, or in the worst case even crash, when trying to convert a path-array element into an integer for use as an array subscript. Per report from Vitaly Burovoy. Back-patch to 9.5 where the faulty code was introduced (in commit c6947010ceb42143). Michael Paquier --- src/backend/utils/adt/jsonfuncs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/utils/adt/jsonfuncs.c b/src/backend/utils/adt/jsonfuncs.c index a4842cbcd8..6cf2b783e6 100644 --- a/src/backend/utils/adt/jsonfuncs.c +++ b/src/backend/utils/adt/jsonfuncs.c @@ -3873,7 +3873,7 @@ setPathArray(JsonbIterator **it, Datum *path_elems, bool *path_nulls, /* pick correct index */ if (level < path_len && !path_nulls[level]) { - char *c = VARDATA_ANY(path_elems[level]); + char *c = TextDatumGetCString(path_elems[level]); long lindex; errno = 0;