From: | Mikhail Gribkov <youzhick(at)gmail(dot)com> |
---|---|
To: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Wrong buffer limits check |
Date: | 2024-01-29 13:37:44 |
Message-ID: | CAMEv5_uWvcMCMdRFDsJLz2Q8g16HEa9xWyfrkr+FYMMFJhawOw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi hackers,
I have tried to analyse Postgres code with Svace static analyzer [1] and
found something I think is a real bug.
In pgp-decrypt.c, in prefix_init function the following check:
if (len > sizeof(tmpbuf))
seem to be erroneous and should really look this way:
if (len > PGP_MAX_BLOCK)
Otherwise the below checks in this line could lead to buffer overflows:
if (buf[len - 2] != buf[len] || buf[len - 1] != buf[len + 1])
This is because buf will point to tmpbuf, while tmpbuf have a size of
PGP_MAX_BLOCK + 2.
What do you think? The proposed patch towarts the current master branch is
attached.
[1] - https://svace.pages.ispras.ru/svace-website/en/
--
best regards,
Mikhail A. Gribkov
e-mail: youzhick(at)gmail(dot)com
*http://www.flickr.com/photos/youzhick/albums
<http://www.flickr.com/photos/youzhick/albums>*
http://www.strava.com/athletes/5085772
phone: +7(916)604-71-12
Telegram: @youzhick
Attachment | Content-Type | Size |
---|---|---|
v001-Fix_buffer_len_check.patch | application/octet-stream | 481 bytes |
From | Date | Subject | |
---|---|---|---|
Next Message | Andrew Dunstan | 2024-01-29 13:42:02 | Re: psql: add \create_function command |
Previous Message | Kurlaev Jaroslav | 2024-01-29 13:30:41 | RE: Finding every use of a built-in function |