Prevent buffer overrun while parsing an integer in a "query_int" value.
contrib/intarray's gettoken() uses a fixed-size buffer to collect an
integer's digits, and did not guard against overrunning the buffer.
This is at least a backend crash risk, and in principle might allow
arbitrary code execution. The code didn't check for overflow of the
integer value either, which while not presenting a crash risk was still
bad.
Thanks to Apple Inc's security team for reporting this issue and supplying
the fix.
Security: CVE-2010-4015
Branch
------
REL8_4_STABLE
Details
-------
http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=d1fd7b290c82867d6abe945551546d398741a4b3
Modified Files
--------------
contrib/intarray/_int_bool.c | 26 ++++++++++++++++----------
1 files changed, 16 insertions(+), 10 deletions(-)