| From: | Mikhail Gribkov <youzhick(at)gmail(dot)com> |
|---|---|
| To: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Wrong buffer limits check |
| Date: | 2024-01-29 13:37:44 |
| Message-ID: | CAMEv5_uWvcMCMdRFDsJLz2Q8g16HEa9xWyfrkr+FYMMFJhawOw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi hackers,
I have tried to analyse Postgres code with Svace static analyzer [1] and
found something I think is a real bug.
In pgp-decrypt.c, in prefix_init function the following check:
if (len > sizeof(tmpbuf))
seem to be erroneous and should really look this way:
if (len > PGP_MAX_BLOCK)
Otherwise the below checks in this line could lead to buffer overflows:
if (buf[len - 2] != buf[len] || buf[len - 1] != buf[len + 1])
This is because buf will point to tmpbuf, while tmpbuf have a size of
PGP_MAX_BLOCK + 2.
What do you think? The proposed patch towarts the current master branch is
attached.
[1] - https://svace.pages.ispras.ru/svace-website/en/
--
best regards,
Mikhail A. Gribkov
e-mail: youzhick(at)gmail(dot)com
*http://www.flickr.com/photos/youzhick/albums
<http://www.flickr.com/photos/youzhick/albums>*
http://www.strava.com/athletes/5085772
phone: +7(916)604-71-12
Telegram: @youzhick
| Attachment | Content-Type | Size |
|---|---|---|
| v001-Fix_buffer_len_check.patch | application/octet-stream | 481 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2024-01-29 13:42:02 | Re: psql: add \create_function command |
| Previous Message | Kurlaev Jaroslav | 2024-01-29 13:30:41 | RE: Finding every use of a built-in function |