Fix heap-buffer-overflow in pglz_decompress() on corrupt input.
Andrew Dunstan <andrew@dunslane.net>
Fix heap-buffer-overflow in pglz_decompress() on corrupt input. When decoding a match tag, pglz_decompress() reads 2 bytes (or 3 for extended-length matches) from the source buffer before checking whether enough data remains. The existing bounds check (sp > srcend) occurs after the reads, so truncated compressed data that ends mid-tag causes a read past the allocated buffer. Fix by validating that sufficient source bytes are available before reading each part of the match tag. The post-read sp > srcend check is no longer needed and is removed. Found by fuzz testing with libFuzzer and AddressSanitizer. Backpatch-through: 14
Files
| Path | Change | +/− |
|---|---|---|
| src/common/pg_lzcompress.c | modified | +19 −8 |