Wrong buffer limits check
Mikhail Gribkov <youzhick@gmail.com>
From: Mikhail Gribkov <youzhick@gmail.com>
To: PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2024-01-29T13:37:44Z
Lists: pgsql-hackers
Attachments
- v001-Fix_buffer_len_check.patch (application/octet-stream) patch v1
Hi hackers,
I have tried to analyse Postgres code with Svace static analyzer [1] and
found something I think is a real bug.
In pgp-decrypt.c, in prefix_init function the following check:
if (len > sizeof(tmpbuf))
seem to be erroneous and should really look this way:
if (len > PGP_MAX_BLOCK)
Otherwise the below checks in this line could lead to buffer overflows:
if (buf[len - 2] != buf[len] || buf[len - 1] != buf[len + 1])
This is because buf will point to tmpbuf, while tmpbuf have a size of
PGP_MAX_BLOCK + 2.
What do you think? The proposed patch towarts the current master branch is
attached.
[1] - https://svace.pages.ispras.ru/svace-website/en/
--
best regards,
Mikhail A. Gribkov
e-mail: youzhick@gmail.com
*http://www.flickr.com/photos/youzhick/albums
<http://www.flickr.com/photos/youzhick/albums>*
http://www.strava.com/athletes/5085772
phone: +7(916)604-71-12
Telegram: @youzhick
Commits
-
pgcrypto: Fix check for buffer size
- f74b5c5bc67c 15.6 landed
- c29022164f8a 12.18 landed
- b527ebc1d37a 17.0 landed
- 5d726c72cd0f 16.2 landed
- 54717fcaad75 14.11 landed
- 375d30bcbbd0 13.14 landed