Mark PQfn() unsafe and fix overrun in frontend LO interface.
Nathan Bossart <nathan@postgresql.org>
Author:
Nathan Bossart <nathan@postgresql.org>
Committer:
Noah Misch <noah@leadboat.com>
Date: 2026-05-11T12:13:47Z
Releases:
19 (unreleased)
Mark PQfn() unsafe and fix overrun in frontend LO interface. When result_is_int is set to 0, PQfn() cannot validate that the result fits in result_buf, so it will write data beyond the end of the buffer when the server returns more data than requested. Since this function is insecurable and obsolete, add a warning to the top of the pertinent documentation advising against its use. The only in-tree caller of PQfn() is the frontend large object interface. To fix that, add a buf_size parameter to pqFunctionCall3() that is used to protect against overruns, and use it in a private version of PQfn() that also accepts a buf_size parameter. Reported-by: Yu Kunpeng <yu443940816@live.com> Reported-by: Martin Heistermann <martin.heistermann@unibe.ch> Author: Nathan Bossart <nathandbossart@gmail.com> Reviewed-by: Noah Misch <noah@leadboat.com> Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Reviewed-by: Etsuro Fujita <etsuro.fujita@gmail.com> Security: CVE-2026-6477 Backpatch-through: 14
Files
| Path | Change | +/− |
|---|---|---|
| doc/src/sgml/libpq.sgml | modified | +8 −3 |
| src/interfaces/libpq/fe-exec.c | modified | +15 −1 |
| src/interfaces/libpq/fe-lobj.c | modified | +6 −6 |
| src/interfaces/libpq/fe-protocol3.c | modified | +12 −1 |
| src/interfaces/libpq/libpq-int.h | modified | +5 −1 |