Hi hackers,
I have tried to analyse Postgres code with Svace static analyzer [1] and found something I think is a real bug.
In pgp-decrypt.c, in prefix_init function the following check:
if (len > sizeof(tmpbuf))
seem to be erroneous and should really look this way:
if (len > PGP_MAX_BLOCK)
Otherwise the below checks in this line could lead to buffer overflows:
if (buf[len - 2] != buf[len] || buf[len - 1] != buf[len + 1])
This is because buf will point to tmpbuf, while tmpbuf have a size of PGP_MAX_BLOCK + 2.
What do you think? The proposed patch towarts the current master branch is attached.
[1] -
https://svace.pages.ispras.ru/svace-website/en/