Home > mailing lists

pgsql: Prevent buffer overrun while parsing an integer in a "query_int" - Mailing list pgsql-committers

From	Tom Lane
Subject	pgsql: Prevent buffer overrun while parsing an integer in a "query_int"
Date	February 1, 2011 15:06:42
Msg-id	E1Piac7-0005t2-E6@gemulon.postgresql.org Whole thread Raw
List	pgsql-committers

Tree view

Prevent buffer overrun while parsing an integer in a "query_int" value.

contrib/intarray's gettoken() uses a fixed-size buffer to collect an
integer's digits, and did not guard against overrunning the buffer.
This is at least a backend crash risk, and in principle might allow
arbitrary code execution.  The code didn't check for overflow of the
integer value either, which while not presenting a crash risk was still
bad.

Thanks to Apple Inc's security team for reporting this issue and supplying
the fix.

Security: CVE-2010-4015

Branch
------
REL8_2_STABLE

Details
-------
http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=e11349fdbae7295b91699a70a791c093fc6d254e

Modified Files
--------------
contrib/intarray/_int_bool.c |   26 ++++++++++++++++----------
1 files changed, 16 insertions(+), 10 deletions(-)

pgsql-committers by date:

From: Tom Lane
Date: 01 February 2011, 15:06:40
Subject: pgsql: Prevent buffer overrun while parsing an integer in a "query_int"

From: Bruce Momjian
Date: 01 February 2011, 16:23:22
Subject: pgsql: Add pg_upgrade comment for why we can't use template1 inheritanc

pgsql: Prevent buffer overrun while parsing an integer in a "query_int" - Mailing list pgsql-committers

Previous

Next