diff options
author | Tom Lane <tgl@sss.pgh.pa.us> | 2011-01-27 17:41:56 -0500 |
---|---|---|
committer | Tom Lane <tgl@sss.pgh.pa.us> | 2011-01-27 17:43:34 -0500 |
commit | 23f2e93afff29520cb5c03e30f1928010af81938 (patch) | |
tree | 7d01e4b53d38d5add7749cf1357efc39300c319b | |
parent | 9ca60201119fdc41b05beb7063ee5f8d359d099b (diff) | |
download | postgresql-23f2e93afff29520cb5c03e30f1928010af81938.tar.gz |
Prevent buffer overrun while parsing an integer in a "query_int" value.
contrib/intarray's gettoken() uses a fixed-size buffer to collect an
integer's digits, and did not guard against overrunning the buffer.
This is at least a backend crash risk, and in principle might allow
arbitrary code execution. The code didn't check for overflow of the
integer value either, which while not presenting a crash risk was still
bad.
Thanks to Apple Inc's security team for reporting this issue and supplying
the fix.
Security: CVE-2010-4015
-rw-r--r-- | contrib/intarray/_int_bool.c | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/contrib/intarray/_int_bool.c b/contrib/intarray/_int_bool.c index 8af6100214..ae37539fe1 100644 --- a/contrib/intarray/_int_bool.c +++ b/contrib/intarray/_int_bool.c @@ -55,24 +55,25 @@ typedef struct static int4 gettoken(WORKSTATE * state, int4 *val) { - char nnn[16], - *curnnn; + char nnn[16]; + int innn; *val = 0; /* default result */ - curnnn = nnn; + innn = 0; while (1) { + if (innn >= sizeof(nnn)) + return ERR; /* buffer overrun => syntax error */ switch (state->state) { case WAITOPERAND: - curnnn = nnn; + innn = 0; if ((*(state->buf) >= '0' && *(state->buf) <= '9') || *(state->buf) == '-') { state->state = WAITENDOPERAND; - *curnnn = *(state->buf); - curnnn++; + nnn[innn++] = *(state->buf); } else if (*(state->buf) == '!') { @@ -92,13 +93,18 @@ gettoken(WORKSTATE * state, int4 *val) case WAITENDOPERAND: if (*(state->buf) >= '0' && *(state->buf) <= '9') { - *curnnn = *(state->buf); - curnnn++; + nnn[innn++] = *(state->buf); } else { - *curnnn = '\0'; - *val = (int4) atoi(nnn); + long lval; + + nnn[innn] = '\0'; + errno = 0; + lval = strtol(nnn, NULL, 0); + *val = (int4) lval; + if (errno != 0 || (long) *val != lval) + return ERR; state->state = WAITOPERATOR; return (state->count && *(state->buf) == '\0') ? ERR : VAL; |