From manual examination of the code, it looks like pg_restore will corrupt
an internal data structure on certain abnormal inputs.

File: postgresql-8.0.2/src/bin/pg_dummp/pg_backup_archiver.c

SortTocFromFile pulls dump IDs out of a file and uses them to sort the list
entries in field toc of archive handle AH. If the same ID appears twice in
a row in the file (which seems reasonable, since the file is human-readable
and a fair amount of input validation is already performed on it), it looks
like this list will be corrupted:

tePrev is initialized to the head of the list (L886). With each iteration
of the inner loop, the entire list (including the sorted portion) is scanned
for the entry with the ID just pulled off the file (L917). If the specified
entry is found, it is moved to the position immediately after tePrev (L924),
and tePrev is advanced (L925). Since tePrev is in the scanned portion of
the list, it should be returned by getTocEntryByDumpId if the same ID is
provided twice in a row. _moveAfter will then be called with aliased
pointers, corrupting the list: the referenced value will have two self
cycles, and will be skipped over by the next pointers but not the prev.

Thanks for looking at this,

Brian Hackett


---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq

"Brian Hackett" <bhackett (AT) stanford (DOT) edu> writes:
Yeah, I think you are right. Looks easy to fix though: we already are
building a flag array from the input, so just add a test to ignore any
already-seen ID.

Thanks for the report.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings