pgsql: Guard against empty buffer in gets_fromFile()'s check for a newl

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-committers(at)postgresql(dot)org
Subject: pgsql: Guard against empty buffer in gets_fromFile()'s check for a newl
Date: 2016-07-28 22:58:30
Message-ID: E1bSuG6-00053I-Ob@gemulon.postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers

Guard against empty buffer in gets_fromFile()'s check for a newline.

Per the fgets() specification, it cannot return without reading some data
unless it reports EOF or error. So the code here assumed that the data
buffer would necessarily be nonempty when we go to check for a newline
having been read. However, Agostino Sarubbo noticed that this could fail
to be true if the first byte of the data is a NUL (\0). The fgets() API
doesn't really work for embedded NULs, which is something I don't feel
any great need for us to worry about since we generally don't allow NULs
in SQL strings anyway. But we should not access off the end of our own
buffer if the case occurs. Normally this would just be a harmless read,
but if you were unlucky the byte before the buffer would contain '\n'
and we'd overwrite it with '\0', and if you were really unlucky that
might be valuable data and psql would crash.

Agostino reported this to pgsql-security, but after discussion we concluded
that it isn't worth treating as a security bug; if you can control the
input to psql you can do far more interesting things than just maybe-crash
it. Nonetheless, it is a bug, so back-patch to all supported versions.

Branch
------
REL9_2_STABLE

Details
-------
http://git.postgresql.org/pg/commitdiff/76c10ca318df0e7f2b2e2840ae496d7000d1ca37

Modified Files
--------------
src/bin/psql/input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Browse pgsql-committers by date

  From Date Subject
Next Message Peter Eisentraut 2016-07-29 02:47:40 pgsql: Documentation spell checking and markup improvements
Previous Message Tom Lane 2016-07-28 21:23:37 pgsql: Teach parser to transform "x IS [NOT] DISTINCT FROM NULL" to a N