Fix buffer overrun and failure to check for overflow in the input function for the query_int datatype (CVE-2010-4015) diff -Naur postgresql-8.1.23.orig/contrib/intarray/_int_bool.c postgresql-8.1.23/contrib/intarray/_int_bool.c --- postgresql-8.1.23.orig/contrib/intarray/_int_bool.c 2010-12-13 22:52:30.000000000 -0500 +++ postgresql-8.1.23/contrib/intarray/_int_bool.c 2011-01-28 15:19:45.848466111 -0500 @@ -55,24 +55,25 @@ static int4 gettoken(WORKSTATE * state, int4 *val) { - char nnn[16], - *curnnn; + char nnn[16]; + int innn; *val = 0; /* default result */ - curnnn = nnn; + innn = 0; while (1) { + if (innn >= sizeof(nnn)) + return ERR; /* buffer overrun => syntax error */ switch (state->state) { case WAITOPERAND: - curnnn = nnn; + innn = 0; if ((*(state->buf) >= '0' && *(state->buf) <= '9') || *(state->buf) == '-') { state->state = WAITENDOPERAND; - *curnnn = *(state->buf); - curnnn++; + nnn[innn++] = *(state->buf); } else if (*(state->buf) == '!') { @@ -92,13 +93,18 @@ case WAITENDOPERAND: if (*(state->buf) >= '0' && *(state->buf) <= '9') { - *curnnn = *(state->buf); - curnnn++; + nnn[innn++] = *(state->buf); } else { - *curnnn = '\0'; - *val = (int4) atoi(nnn); + long lval; + + nnn[innn] = '\0'; + errno = 0; + lval = strtol(nnn, NULL, 0); + *val = (int4) lval; + if (errno != 0 || (long) *val != lval) + return ERR; state->state = WAITOPERATOR; return (state->count && *(state->buf) == '\0') ? ERR : VAL;