Prevent buffer overrun while parsing an integer in a "query_int" value.

Tom Lane <tgl@sss.pgh.pa.us>

Commit: d6d145673f8df3bd05939b1781e99acead9daae5
Author: Tom Lane <tgl@sss.pgh.pa.us>
Date: 2011-01-27T22:43:07Z
Releases: 9.0.3
Prevent buffer overrun while parsing an integer in a "query_int" value.

contrib/intarray's gettoken() uses a fixed-size buffer to collect an
integer's digits, and did not guard against overrunning the buffer.
This is at least a backend crash risk, and in principle might allow
arbitrary code execution.  The code didn't check for overflow of the
integer value either, which while not presenting a crash risk was still
bad.

Thanks to Apple Inc's security team for reporting this issue and supplying
the fix.

Security: CVE-2010-4015

Files

PathChange+/−
contrib/intarray/_int_bool.c modified +16 −10