Prevent buffer overrun while parsing an integer in a "query_int" value.
contrib/intarray's gettoken() uses a fixed-size buffer to collect an integer's digits, and did not guard against overrunning the buffer. This is at least a backend crash risk, and in principle might allow arbitrary code execution. The code didn't check for overflow of the integer value either, which while not presenting a crash risk was still bad. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. Security: CVE-2010-4015 Branch ------ REL9_0_STABLE Details ------- http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=d6d145673f8df3bd05939b1781e99acead9daae5 Modified Files -------------- contrib/intarray/_int_bool.c | 26 ++++++++++++++++---------- 1 files changed, 16 insertions(+), 10 deletions(-) -- Sent via pgsql-committers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-committers
