| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | pgsql-committers(at)postgresql(dot)org |
| Subject: | pgsql: Prevent buffer overrun while parsing an integer in a "query_int" |
| Date: | 2011-01-27 22:46:51 |
| Message-ID: | E1Piac7-0005t2-E6@gemulon.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Prevent buffer overrun while parsing an integer in a "query_int" value.
contrib/intarray's gettoken() uses a fixed-size buffer to collect an
integer's digits, and did not guard against overrunning the buffer.
This is at least a backend crash risk, and in principle might allow
arbitrary code execution. The code didn't check for overflow of the
integer value either, which while not presenting a crash risk was still
bad.
Thanks to Apple Inc's security team for reporting this issue and supplying
the fix.
Security: CVE-2010-4015
Branch
------
REL8_2_STABLE
Details
-------
http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=e11349fdbae7295b91699a70a791c093fc6d254e
Modified Files
--------------
contrib/intarray/_int_bool.c | 26 ++++++++++++++++----------
1 files changed, 16 insertions(+), 10 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2011-01-27 22:48:00 | pgsql: Update release notes. |
| Previous Message | Tom Lane | 2011-01-27 21:30:26 | pgsql: Don't include <asm/ia64regs.h> unnecessarily. |