Fix unsafe use of strtol() on a non-null-terminated Text datum.

jsonb_set() could produce wrong answers or incorrect error reports, or in
the worst case even crash, when trying to convert a path-array element into
an integer for use as an array subscript.  Per report from Vitaly Burovoy.
Back-patch to 9.5 where the faulty code was introduced (in commit
c6947010ceb42143).

Michael Paquier

diff --git a/src/backend/utils/adt/jsonfuncs.c b/src/backend/utils/adt/jsonfuncs.c
index 363afa7699074e2a83e75deb92b523bf8ad02756..cc6dadf7932c46be541de3da0005b87694e26cb5 100644 (file)
--- a/src/backend/utils/adt/jsonfuncs.c
+++ b/src/backend/utils/adt/jsonfuncs.c
@@ -3873,7 +3873,7 @@ setPathArray(JsonbIterator **it, Datum *path_elems, bool *path_nulls,
    /* pick correct index */
    if (level < path_len && !path_nulls[level])
    {
-       char       *c = VARDATA_ANY(path_elems[level]);
+       char       *c = TextDatumGetCString(path_elems[level]);
        long        lindex;
 
        errno = 0;