Home > mailing lists

pgsql: Fix heap-buffer-overflow in pglz_decompress() on corrupt input. - Mailing list pgsql-committers

From	Andrew Dunstan
Subject	pgsql: Fix heap-buffer-overflow in pglz_decompress() on corrupt input.
Date	April 10 17:39:44
Msg-id	E1wBD1L-000Jfs-1s@gemulon.postgresql.org Whole thread Raw
List	pgsql-committers

Tree view

Fix heap-buffer-overflow in pglz_decompress() on corrupt input.

When decoding a match tag, pglz_decompress() reads 2 bytes (or 3
for extended-length matches) from the source buffer before checking
whether enough data remains.  The existing bounds check (sp > srcend)
occurs after the reads, so truncated compressed data that ends
mid-tag causes a read past the allocated buffer.

Fix by validating that sufficient source bytes are available before
reading each part of the match tag.  The post-read sp > srcend
check is no longer needed and is removed.

Found by fuzz testing with libFuzzer and AddressSanitizer.

Backpatch-through: 14

Branch
------
REL_15_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/c88ad3a2122eae875b77eb5cba3b7bda5c92f251

Modified Files
--------------
src/common/pg_lzcompress.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)

pgsql-committers by date:

From: Andrew Dunstan
Date: 10 April, 17:21:48
Subject: pgsql: Fix incremental JSON parser numeric token reassembly across chun

From: Masahiko Sawada
Date: 10 April, 21:00:27
Subject: pgsql: doc: Improve consistency of parallel vacuum description.

pgsql: Fix heap-buffer-overflow in pglz_decompress() on corrupt input. - Mailing list pgsql-committers

Previous

Next