I think I found at least one part of the problem. I was able to
reproduce a crash similar to yours by running the german_ispell
dictionary against long random words, and what I found out is that
it's possible to overrun the fixed-length "buf" buffer declared at
line 1542 of spell.c.
Run till exit from #0 CheckCompoundAffixes (ptr=0x7fffc0a66a90,
word=0xb31ec4 "whcfbrvhbcifxdbyrizvdcnggpgtdqzzxbeyszftboyyrzwihvdkyqqefvxil
wihxmfpllimzgkpfgxmbbwyrmcxhzfsvnzszehkppvowfdblanlbjksvmpclutggsyfwfomukzqpcrzd
eleouwjglkrfexlwuqszeetodjdfacifnlshhbnsmexpahlvxdubgopjxso"..., len=285,
CheckInPlace=0 '\0') at spell.c:1482
0x00000000005e273e in SplitToVariants (Conf=0xb38d88, snode=0x0, orig=0x0,
word=0xb31ec0 "nokgwhcfbrvhbcifxdbyrizvdcnggpgtdqzzxbeyszftboyyrzwihvdkyqqef
vxilwihxmfpllimzgkpfgxmbbwyrmcxhzfsvnzszehkppvowfdblanlbjksvmpclutggsyfwfomukzqp
crzdeleouwjglkrfexlwuqszeetodjdfacifnlshhbnsmexpahlvxdubgop"..., wordlen=289,
startpos=0, minpos=-1) at spell.c:1537
1537 while (level > startpos && (lenaff = CheckCompoundAffixe
s(&caff, word + level, wordlen - level, (node) ? true : false)) >= 0)
Value returned is $29 = 283
(gdb) s
1545 lenaff = level - startpos + lenaff;
(gdb)
1547 if (!notprobed[startpos + lenaff - 1])
(gdb)
1550 if (level + lenaff - 1 <= minpos)
(gdb)
1553 if (lenaff > 0)
(gdb)
1554 memcpy(buf, word + startpos, lenaff);
(gdb) p lenaff
$31 = 287
(gdb) p sizeof(buf)
$32 = 256
(gdb)
I still don't trust the limited-size stem[] arrays a bit, either.
I am now fairly seriously worried about what other buffer-overrun
bugs may exist in the tsearch code. I would recommend a wholesale
campaign to try to break it with long random words.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?
http://archives.postgresql.org/
