On Sat, Jun 24, 2017 at 10:03:25AM -0400, Peter Eisentraut wrote:
> On 6/23/17 12:31, Tom Lane wrote:
> > icu_to_uchar() and icu_from_uchar(), and perhaps other places, are
> > touchingly naive about integer overflow hazards in buffer size
> > calculations. I call particular attention to this bit in
> > icu_from_uchar():
> >
> > len_result = UCNV_GET_MAX_BYTES_FOR_STRING(len_uchar, ucnv_getMaxCharSize(icu_converter));
> >
> > The ICU man pages say that that macro is defined as
> >
> > #define UCNV_GET_MAX_BYTES_FOR_STRING(length, maxCharSize) (((int32_t)(length)+10)*(int32_t)(maxCharSize))
> >
> > which means that getting this to overflow (resulting in
> > probably-exploitable memory overruns) would be about as hard as taking
> > candy from a baby.
>
> Here is a patch that should address this.
[Action required within three days. This is a generic notification.]
The above-described topic is currently a PostgreSQL 10 open item. Peter,
since you committed the patch believed to have created it, you own this open
item. If some other commit is more relevant or if this does not belong as a
v10 open item, please let us know. Otherwise, please observe the policy on
open item ownership[1] and send a status update within three calendar days of
this message. Include a date for your subsequent status update. Testers may
discover new open items at any time, and I want to plan to get them all fixed
well in advance of shipping v10. Consequently, I will appreciate your efforts
toward speedy resolution. Thanks.
[1] https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com