Fix read beyond buffer bug introduced by the split xlog.c patch.

FinishWalRecovery() copied the valid part of the last WAL block into a
palloc'd buffer, and the code in StartupXLOG() copied it to the WAL
buffer. But the memcpy in StartupXLOG() copied a full 8kB block, not
just the valid part, i.e. it copied from beyond the end of the buffer.
The invalid part was cleared immediately afterwards, so as long as the
memory was allocated and didn't segfault, it didn't do any harm, but
it can definitely segfault.

Discussion: https://www.postgresql.org/message-id/efc12e32-5af2-3485-5b1d-5af9f707491a@iki.fi

diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c
index eb3c516058ff4555eb46654dc78a2b1d90be483a..ce78ac413ef2bab05727fd5b257f1ecb79cb2410 100644 (file)
--- a/src/backend/access/transam/xlog.c
+++ b/src/backend/access/transam/xlog.c
@@ -5454,7 +5454,7 @@ StartupXLOG(void)
 
        /* Copy the valid part of the last block, and zero the rest */
        page = &XLogCtl->pages[firstIdx * XLOG_BLCKSZ];
-       memcpy(page, endOfRecoveryInfo->lastPage, XLOG_BLCKSZ);
+       memcpy(page, endOfRecoveryInfo->lastPage, len);
        memset(page + len, 0, XLOG_BLCKSZ - len);
 
        XLogCtl->xlblocks[firstIdx] = endOfRecoveryInfo->lastPageBeginPtr + XLOG_BLCKSZ;