Home > mailing lists

pgsql: Prevent buffer overrun while parsing an integer in a "query_int" - Mailing list pgsql-committers

From	Tom Lane
Subject	pgsql: Prevent buffer overrun while parsing an integer in a "query_int"
Date	February 1, 2011 15:06:37
Msg-id	E1Piac7-0005sy-9N@gemulon.postgresql.org Whole thread Raw
List	pgsql-committers

Tree view

Prevent buffer overrun while parsing an integer in a "query_int" value.

contrib/intarray's gettoken() uses a fixed-size buffer to collect an
integer's digits, and did not guard against overrunning the buffer.
This is at least a backend crash risk, and in principle might allow
arbitrary code execution.  The code didn't check for overflow of the
integer value either, which while not presenting a crash risk was still
bad.

Thanks to Apple Inc's security team for reporting this issue and supplying
the fix.

Security: CVE-2010-4015

Branch
------
master

Details
-------
http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=7ccb6dc2d3e266a551827bb99179708580f72431

Modified Files
--------------
contrib/intarray/_int_bool.c |   26 ++++++++++++++++----------
1 files changed, 16 insertions(+), 10 deletions(-)

pgsql-committers by date:

From: Andrew Dunstan
Date: 01 February 2011, 14:07:54
Subject: pgsql: Set up PLPerl trigger data using C code instead of Perl code.

From: Tom Lane
Date: 01 February 2011, 15:06:38
Subject: pgsql: Prevent buffer overrun while parsing an integer in a "query_int"

pgsql: Prevent buffer overrun while parsing an integer in a "query_int" - Mailing list pgsql-committers

Previous

Next