I wrote: > I'm surprised we've not seen reports of other problems. The lack of > crash in 8.2 is because iwchareq went away completely, but that's > certainly not the only place doing conversions to pg_wchar and expecting > the result to fit in a prespecified buffer ...
Actually, it looks like all the other places that use mb2wchar allocate a buffer with more pg_wchar's than there are bytes in the input, and so overrun is impossible even with the breakage in pg_utf2wchar_with_len. The only exception I see in CVS HEAD is sqlchar_to_unicode() in xml.c, which is new code as of 8.3devel anyway. So we don't appear to have a serious security issue as I first feared --- the worst that can happen is a crash like this when iwchareq's return address is overwritten with a zero, and even that is only in pre-8.2. Nonetheless, the code is certainly giving wrong answers for 4-byte characters. Will go fix... regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly