Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL (fwd)
Neil Conway <neilc@samurai.com>
From: Neil Conway <neilc@samurai.com>
To: PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Vince Vielhaber <vev@michvhf.com>
Date: 2002-08-21T21:04:22Z
Lists: pgsql-hackers
Attachments
- repeat_fix-3.patch (text/x-patch) patch
Neil Conway <neilc@samurai.com> writes:
> Tom Lane <tgl@sss.pgh.pa.us> writes:
>
> > Vince Vielhaber <vev@michvhf.com> writes:
> > > Here's yet another. He claims malicious code can be run on the server
> > > with this one.
> >
> > regression=# select repeat('xxx',1431655765);
> > server closed the connection unexpectedly
> >
> > This is probably caused by integer overflow in calculating the size of
> > the repeat's result buffer. It'd take some considerable doing to create
> > an arbitrary-code exploit, but perhaps could be done. Anyone want to
> > investigate a patch?
>
> This seems to fix the problem:
No, no it does not :-)
Tom pointed out some obvious braindamage in my previous patch. I've
attached a revised version.
Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC