> Ken Ashcraft <ken@coverity.com> writes:
>> I work at Coverity where we use static analysis to find bugs in
>> software. I ran a security checker over postgresql-7.4.1 and I think I
>> found a security hole.
>>
>> In the code below, fld_size gets copied in from a user specified file.
>> It is passed as the 'needed' parameter to enlargeStringInfo(). If
>> needed is a very large positive value, the addition 'needed += str->len
>> + 1;' could cause an overflow, making needed a negative number.
>
> I've applied a patch that fixes this issue, as well as the related one
> that enlargeStringInfo could go into an infinite loop.
>
> Although the path of control you identify doesn't seem very threatening
> (since one must already be superuser to execute COPY from a file), the
> same sort of problem could be triggered by sending a malformed data
> packet, thus opening up the problem to anyone who can get past the
> initial postmaster authentication check. So this is more severe than we
> first thought.
>
Great. Thanks for the feedback. If it is serious, is an advisory in order?
Ken
