Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc4d6bda

Browse files
committed
There is a bug in aclinsert3 in the code which update the acl arrays.
When an acl item is added or updated the new entry is deleted if it has nopermissions and the acl array is shrinked. This is is done by decrementingthe number of items without updating the corresponding array size.The array with the incorrect size is later read by pg_aclcheck and the entrycount is used to allocate a new array while the array size is used to copythe old one. This causes a memory corruption and a backend crash.This happens only to normal user as the administrator bypasses acl checks.Massimo Dal Zotto
1 parent8299e75 commitc4d6bda

File tree

1 file changed

+3
-1
lines changed
  • src/backend/utils/adt

1 file changed

+3
-1
lines changed

‎src/backend/utils/adt/acl.c

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
*
88
*
99
* IDENTIFICATION
10-
* $Header: /cvsroot/pgsql/src/backend/utils/adt/acl.c,v 1.7 1996/11/17 04:26:59 momjian Exp $
10+
* $Header: /cvsroot/pgsql/src/backend/utils/adt/acl.c,v 1.8 1996/11/20 22:53:10 momjian Exp $
1111
*
1212
*-------------------------------------------------------------------------
1313
*/
@@ -417,6 +417,8 @@ aclinsert3(Acl *old_acl, AclItem *mod_aip, unsigned modechg)
417417
new_aip[i-1].ai_mode=new_aip[i].ai_mode;
418418
}
419419
ARR_DIMS(new_acl)[0]=num-1 ;
420+
/* Adjust also the array size because it is used for memmove */
421+
ARR_SIZE(new_acl)-=sizeof(AclItem);
420422
break;
421423
}
422424
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp