Prevent buffer overrun while parsing an integer in a "query_int" value. - postgresql.git - This is the main PostgreSQL git repository.

diff options

author	Tom Lane	2011-01-27 22:41:56 +0000
committer	Tom Lane	2011-01-27 22:43:34 +0000
commit	23f2e93afff29520cb5c03e30f1928010af81938 (patch)
tree	7d01e4b53d38d5add7749cf1357efc39300c319b /doc/bug.template
parent	9ca60201119fdc41b05beb7063ee5f8d359d099b (diff)

Prevent buffer overrun while parsing an integer in a "query_int" value.

contrib/intarray's gettoken() uses a fixed-size buffer to collect an integer's digits, and did not guard against overrunning the buffer. This is at least a backend crash risk, and in principle might allow arbitrary code execution. The code didn't check for overflow of the integer value either, which while not presenting a crash risk was still bad. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. Security: CVE-2010-4015

Diffstat (limited to 'doc/bug.template')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: