Neil Conway <[EMAIL PROTECTED]> writes:
> Tom Lane <[EMAIL PROTECTED]> writes:
>
> > Vince Vielhaber <[EMAIL PROTECTED]> writes:
> > > Here's yet another. He claims malicious code can be run on the server
> > > with this one.
> >
> > regression=# select repeat('xxx',1431655765);
> > server closed the connection unexpectedly
> >
> > This is probably caused by integer overflow in calculating the size of
> > the repeat's result buffer. It'd take some considerable doing to create
> > an arbitrary-code exploit, but perhaps could be done. Anyone want to
> > investigate a patch?
>
> This seems to fix the problem:
No, no it does not :-)
Tom pointed out some obvious braindamage in my previous patch. I've
attached a revised version.
Cheers,
Neil
--
Neil Conway <[EMAIL PROTECTED]> || PGP Key ID: DB3C29FC
Index: src/backend/utils/adt/oracle_compat.c
===================================================================
RCS file: /var/lib/cvs/pgsql-server/src/backend/utils/adt/oracle_compat.c,v
retrieving revision 1.37
diff -c -r1.37 oracle_compat.c
*** src/backend/utils/adt/oracle_compat.c 8 Jan 2002 17:03:41 -0000 1.37
--- src/backend/utils/adt/oracle_compat.c 21 Aug 2002 21:03:59 -0000
***************
*** 997,1002 ****
--- 997,1012 ----
slen = (VARSIZE(string) - VARHDRSZ);
tlen = (VARHDRSZ + (count * slen));
+ /* Check for integer overflow */
+ if (slen != 0 && count != 0)
+ {
+ int check = count * slen;
+ int check2 = check + VARHDRSZ;
+
+ if ((check / slen) != count || check2 <= check)
+ elog(ERROR, "Requested buffer is too large.");
+ }
+
result = (text *) palloc(tlen);
VARATT_SIZEP(result) = tlen;
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
