Hi hackers, I have tried to analyse Postgres code with Svace static analyzer [1] and found something I think is a real bug.
In pgp-decrypt.c, in prefix_init function the following check: if (len > sizeof(tmpbuf)) seem to be erroneous and should really look this way: if (len > PGP_MAX_BLOCK) Otherwise the below checks in this line could lead to buffer overflows: if (buf[len - 2] != buf[len] || buf[len - 1] != buf[len + 1]) This is because buf will point to tmpbuf, while tmpbuf have a size of PGP_MAX_BLOCK + 2. What do you think? The proposed patch towarts the current master branch is attached. [1] - https://svace.pages.ispras.ru/svace-website/en/ -- best regards, Mikhail A. Gribkov e-mail: youzh...@gmail.com *http://www.flickr.com/photos/youzhick/albums <http://www.flickr.com/photos/youzhick/albums>* http://www.strava.com/athletes/5085772 phone: +7(916)604-71-12 Telegram: @youzhick
v001-Fix_buffer_len_check.patch
Description: Binary data