Home > mailing lists

Re: Further issues with jsonb semantics, documentation - Mailing list pgsql-hackers

From	Andrew Dunstan
Subject	Re: Further issues with jsonb semantics, documentation
Date	June 13, 2015 02:31:18
Msg-id	557B6BBD.1050106@dunslane.net Whole thread Raw
In response to	Re: Further issues with jsonb semantics, documentation (Peter Geoghegan <pg@heroku.com>)
Responses	Re: Further issues with jsonb semantics, documentation (Peter Geoghegan <pg@heroku.com>)
List	pgsql-hackers

Tree view

On 06/12/2015 06:16 PM, Peter Geoghegan wrote:
> On Thu, Jun 4, 2015 at 5:43 PM, Peter Geoghegan <pg@heroku.com> wrote:
>> BTW, there is a bug here -- strtol() needs additional defenses [1]
>> (before casting to int):
>>
>> postgres=# select jsonb_set('[1, 2, 3, 4,
>> 5,6,7,8,9,10,11,12,13,14,15,16,17,18]',
>> '{"9223372036854775806"}'::text[], '"Input unsanitized"', false) ;
>>                                      jsonb_set
>> ----------------------------------------------------------------------------------
>>   [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, "Input
>> unsanitized", 18]
>> (1 row)
>>
>> [1]
https://www.securecoding.cert.org/confluence/display/cplusplus/INT06-CPP.+Use+strtol()+or+a+related+function+to+convert+a+string+token+to+an+integer
> I attach a fix for this bug. The commit message explains everything.



OK, pushed, although you'd have to be trying really hard to break this. 
Still, it's reasonable to defend against.

cheers

andrew

pgsql-hackers by date:

From: Steve Kehlet
Date: 13 June 2015, 02:27:30
Subject: Re: [GENERAL] 9.4.1 -> 9.4.2 problem: could not access status of transaction 1

From: Peter Geoghegan
Date: 13 June 2015, 02:32:29
Subject: Re: Further issues with jsonb semantics, documentation

Re: Further issues with jsonb semantics, documentation - Mailing list pgsql-hackers

Previous

Next