Neil Conway <[EMAIL PROTECTED]> writes: > Tom Lane <[EMAIL PROTECTED]> writes: > > > Vince Vielhaber <[EMAIL PROTECTED]> writes: > > > Here's yet another. He claims malicious code can be run on the server > > > with this one. > > > > regression=# select repeat('xxx',1431655765); > > server closed the connection unexpectedly > > > > This is probably caused by integer overflow in calculating the size of > > the repeat's result buffer. It'd take some considerable doing to create > > an arbitrary-code exploit, but perhaps could be done. Anyone want to > > investigate a patch? > > This seems to fix the problem:
No, no it does not :-) Tom pointed out some obvious braindamage in my previous patch. I've attached a revised version. Cheers, Neil -- Neil Conway <[EMAIL PROTECTED]> || PGP Key ID: DB3C29FC
Index: src/backend/utils/adt/oracle_compat.c =================================================================== RCS file: /var/lib/cvs/pgsql-server/src/backend/utils/adt/oracle_compat.c,v retrieving revision 1.37 diff -c -r1.37 oracle_compat.c *** src/backend/utils/adt/oracle_compat.c 8 Jan 2002 17:03:41 -0000 1.37 --- src/backend/utils/adt/oracle_compat.c 21 Aug 2002 21:03:59 -0000 *************** *** 997,1002 **** --- 997,1012 ---- slen = (VARSIZE(string) - VARHDRSZ); tlen = (VARHDRSZ + (count * slen)); + /* Check for integer overflow */ + if (slen != 0 && count != 0) + { + int check = count * slen; + int check2 = check + VARHDRSZ; + + if ((check / slen) != count || check2 <= check) + elog(ERROR, "Requested buffer is too large."); + } + result = (text *) palloc(tlen); VARATT_SIZEP(result) = tlen;
---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])