Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit7ccb6dc

Browse files
committed
Prevent buffer overrun while parsing an integer in a "query_int" value.
contrib/intarray's gettoken() uses a fixed-size buffer to collect aninteger's digits, and did not guard against overrunning the buffer.This is at least a backend crash risk, and in principle might allowarbitrary code execution. The code didn't check for overflow of theinteger value either, which while not presenting a crash risk was stillbad.Thanks to Apple Inc's security team for reporting this issue and supplyingthe fix.Security:CVE-2010-4015
1 parent0ac8c8d commit7ccb6dc

File tree

1 file changed

+16
-10
lines changed

1 file changed

+16
-10
lines changed

‎contrib/intarray/_int_bool.c

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -56,24 +56,25 @@ typedef struct
5656
staticint4
5757
gettoken(WORKSTATE*state,int4*val)
5858
{
59-
charnnn[16],
60-
*curnnn;
59+
charnnn[16];
60+
intinnn;
6161

6262
*val=0;/* default result */
6363

64-
curnnn=nnn;
64+
innn=0;
6565
while (1)
6666
{
67+
if (innn >=sizeof(nnn))
68+
returnERR;/* buffer overrun => syntax error */
6769
switch (state->state)
6870
{
6971
caseWAITOPERAND:
70-
curnnn=nnn;
72+
innn=0;
7173
if ((*(state->buf) >='0'&&*(state->buf) <='9')||
7274
*(state->buf)=='-')
7375
{
7476
state->state=WAITENDOPERAND;
75-
*curnnn=*(state->buf);
76-
curnnn++;
77+
nnn[innn++]=*(state->buf);
7778
}
7879
elseif (*(state->buf)=='!')
7980
{
@@ -93,13 +94,18 @@ gettoken(WORKSTATE *state, int4 *val)
9394
caseWAITENDOPERAND:
9495
if (*(state->buf) >='0'&&*(state->buf) <='9')
9596
{
96-
*curnnn=*(state->buf);
97-
curnnn++;
97+
nnn[innn++]=*(state->buf);
9898
}
9999
else
100100
{
101-
*curnnn='\0';
102-
*val= (int4)atoi(nnn);
101+
longlval;
102+
103+
nnn[innn]='\0';
104+
errno=0;
105+
lval=strtol(nnn,NULL,0);
106+
*val= (int4)lval;
107+
if (errno!=0|| (long)*val!=lval)
108+
returnERR;
103109
state->state=WAITOPERATOR;
104110
return (state->count&&*(state->buf)=='\0')
105111
?ERR :VAL;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp