Fix buffer overrun and failure to check for overflow in the input function
for the query_int datatype (CVE-2010-4015)
diff -Naur postgresql-8.1.23.orig/contrib/intarray/_int_bool.c postgresql-8.1.23/contrib/intarray/_int_bool.c
--- postgresql-8.1.23.orig/contrib/intarray/_int_bool.c 2010-12-13 22:52:30.000000000 -0500
+++ postgresql-8.1.23/contrib/intarray/_int_bool.c 2011-01-28 15:19:45.848466111 -0500
@@ -55,24 +55,25 @@
static int4
gettoken(WORKSTATE * state, int4 *val)
{
- char nnn[16],
- *curnnn;
+ char nnn[16];
+ int innn;
*val = 0; /* default result */
- curnnn = nnn;
+ innn = 0;
while (1)
{
+ if (innn >= sizeof(nnn))
+ return ERR; /* buffer overrun => syntax error */
switch (state->state)
{
case WAITOPERAND:
- curnnn = nnn;
+ innn = 0;
if ((*(state->buf) >= '0' && *(state->buf) <= '9') ||
*(state->buf) == '-')
{
state->state = WAITENDOPERAND;
- *curnnn = *(state->buf);
- curnnn++;
+ nnn[innn++] = *(state->buf);
}
else if (*(state->buf) == '!')
{
@@ -92,13 +93,18 @@
case WAITENDOPERAND:
if (*(state->buf) >= '0' && *(state->buf) <= '9')
{
- *curnnn = *(state->buf);
- curnnn++;
+ nnn[innn++] = *(state->buf);
}
else
{
- *curnnn = '\0';
- *val = (int4) atoi(nnn);
+ long lval;
+
+ nnn[innn] = '\0';
+ errno = 0;
+ lval = strtol(nnn, NULL, 0);
+ *val = (int4) lval;
+ if (errno != 0 || (long) *val != lval)
+ return ERR;
state->state = WAITOPERATOR;
return (state->count && *(state->buf) == '\0')
? ERR : VAL;
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
d3c4bfd951c25dab3d8c83571c73f957
>
files
>
14
