pgsql: Prevent buffer overrun while parsing an integer in a "query_int"
pgsql: Prevent buffer overrun while parsing an integer in a "query_int"
От:
Tom Lane <tgl@sss.pgh.pa.us>
Дата:
Prevent buffer overrun while parsing an integer in a "query_int" value. contrib/intarray's gettoken() uses a fixed-size buffer to collect an integer's digits, and did not guard against overrunning the buffer. This is at least a backend crash risk, and in principle might allow arbitrary code execution. The code didn't check for overflow of the integer value either, which while not presenting a crash risk was still bad. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. Security: CVE-2010-4015 Branch ------ REL8_4_STABLE Details ------- http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=d1fd7b290c82867d6abe945551546d398741a4b3 Modified Files -------------- contrib/intarray/_int_bool.c | 26 ++++++++++++++++---------- 1 files changed, 16 insertions(+), 10 deletions(-)
