Prevent buffer overrun while parsing an integer in a "query_int" value.

Tom Lane <tgl@sss.pgh.pa.us>

Commit: 23f2e93afff29520cb5c03e30f1928010af81938
Author: Tom Lane <tgl@sss.pgh.pa.us>
Date: 2011-01-27T22:43:34Z
Releases: 8.3.14
Prevent buffer overrun while parsing an integer in a "query_int" value.

contrib/intarray's gettoken() uses a fixed-size buffer to collect an
integer's digits, and did not guard against overrunning the buffer.
This is at least a backend crash risk, and in principle might allow
arbitrary code execution.  The code didn't check for overflow of the
integer value either, which while not presenting a crash risk was still
bad.

Thanks to Apple Inc's security team for reporting this issue and supplying
the fix.

Security: CVE-2010-4015

Files

PathChange+/−
contrib/intarray/_int_bool.c modified +16 −10