Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd)

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Vince Vielhaber <vev@michvhf.com>
Cc: pgsql-hackers@postgresql.org
Date: 2002-08-20T20:05:11Z
Lists: pgsql-hackers
Vince Vielhaber <vev@michvhf.com> writes:
> Here's yet another.  He claims malicious code can be run on the server
> with this one.

regression=# select repeat('xxx',1431655765);
server closed the connection unexpectedly

This is probably caused by integer overflow in calculating the size of
the repeat's result buffer.  It'd take some considerable doing to create
an arbitrary-code exploit, but perhaps could be done.  Anyone want to
investigate a patch?  I think we likely need something like

	bufsize = input_length * repeats;
+	/* check for overflow in multiplication */
+	if (bufsize / repeats != input_length)
+		elog(ERROR, "repeat result too long");

but I haven't thought it through in detail.

			regards, tom lane