Prevent buffer overrun while parsing an integer in a "query_int" value.
Tom Lane <tgl@sss.pgh.pa.us>
Prevent buffer overrun while parsing an integer in a "query_int" value. contrib/intarray's gettoken() uses a fixed-size buffer to collect an integer's digits, and did not guard against overrunning the buffer. This is at least a backend crash risk, and in principle might allow arbitrary code execution. The code didn't check for overflow of the integer value either, which while not presenting a crash risk was still bad. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. Security: CVE-2010-4015
Files
| Path | Change | +/− |
|---|---|---|
| contrib/intarray/_int_bool.c | modified | +16 −10 |