forked frompostgres/postgres
- Notifications
You must be signed in to change notification settings - Fork6
Commit67fb608
committed
Guard against empty buffer in gets_fromFile()'s check for a newline.
Per the fgets() specification, it cannot return without reading some dataunless it reports EOF or error. So the code here assumed that the databuffer would necessarily be nonempty when we go to check for a newlinehaving been read. However, Agostino Sarubbo noticed that this could failto be true if the first byte of the data is a NUL (\0). The fgets() APIdoesn't really work for embedded NULs, which is something I don't feelany great need for us to worry about since we generally don't allow NULsin SQL strings anyway. But we should not access off the end of our ownbuffer if the case occurs. Normally this would just be a harmless read,but if you were unlucky the byte before the buffer would contain '\n'and we'd overwrite it with '\0', and if you were really unlucky thatmight be valuable data and psql would crash.Agostino reported this to pgsql-security, but after discussion we concludedthat it isn't worth treating as a security bug; if you can control theinput to psql you can do far more interesting things than just maybe-crashit. Nonetheless, it is a bug, so back-patch to all supported versions.1 parent1e2f96f commit67fb608
1 file changed
+1
-1
lines changedLines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
218 | 218 | | |
219 | 219 | | |
220 | 220 | | |
221 | | - | |
| 221 | + | |
222 | 222 | | |
223 | 223 | | |
224 | 224 | | |
| |||
0 commit comments
Comments
(0)