From: Tom Lane Date: Thu, 27 Jan 2011 22:41:46 +0000 (-0500) Subject: Prevent buffer overrun while parsing an integer in a "query_int" value. X-Git-Tag: REL9_0_3~2 X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=d6d145673f8df3bd05939b1781e99acead9daae5;p=pg-rex%2Fsyncrep.git Prevent buffer overrun while parsing an integer in a "query_int" value. contrib/intarray's gettoken() uses a fixed-size buffer to collect an integer's digits, and did not guard against overrunning the buffer. This is at least a backend crash risk, and in principle might allow arbitrary code execution. The code didn't check for overflow of the integer value either, which while not presenting a crash risk was still bad. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. Security: CVE-2010-4015 --- diff --git a/contrib/intarray/_int_bool.c b/contrib/intarray/_int_bool.c index 9390106611..7a478faa83 100644 --- a/contrib/intarray/_int_bool.c +++ b/contrib/intarray/_int_bool.c @@ -62,24 +62,25 @@ typedef struct static int4 gettoken(WORKSTATE *state, int4 *val) { - char nnn[16], - *curnnn; + char nnn[16]; + int innn; *val = 0; /* default result */ - curnnn = nnn; + innn = 0; while (1) { + if (innn >= sizeof(nnn)) + return ERR; /* buffer overrun => syntax error */ switch (state->state) { case WAITOPERAND: - curnnn = nnn; + innn = 0; if ((*(state->buf) >= '0' && *(state->buf) <= '9') || *(state->buf) == '-') { state->state = WAITENDOPERAND; - *curnnn = *(state->buf); - curnnn++; + nnn[innn++] = *(state->buf); } else if (*(state->buf) == '!') { @@ -99,13 +100,18 @@ gettoken(WORKSTATE *state, int4 *val) case WAITENDOPERAND: if (*(state->buf) >= '0' && *(state->buf) <= '9') { - *curnnn = *(state->buf); - curnnn++; + nnn[innn++] = *(state->buf); } else { - *curnnn = '\0'; - *val = (int4) atoi(nnn); + long lval; + + nnn[innn] = '\0'; + errno = 0; + lval = strtol(nnn, NULL, 0); + *val = (int4) lval; + if (errno != 0 || (long) *val != lval) + return ERR; state->state = WAITOPERATOR; return (state->count && *(state->buf) == '\0') ? ERR : VAL;