diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2011-01-27 17:41:56 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2011-01-27 17:43:34 -0500 |
| commit | 23f2e93afff29520cb5c03e30f1928010af81938 (patch) | |
| tree | 7d01e4b53d38d5add7749cf1357efc39300c319b /src | |
| parent | 9ca60201119fdc41b05beb7063ee5f8d359d099b (diff) | |
Prevent buffer overrun while parsing an integer in a "query_int" value.
contrib/intarray's gettoken() uses a fixed-size buffer to collect an
integer's digits, and did not guard against overrunning the buffer.
This is at least a backend crash risk, and in principle might allow
arbitrary code execution. The code didn't check for overflow of the
integer value either, which while not presenting a crash risk was still
bad.
Thanks to Apple Inc's security team for reporting this issue and supplying
the fix.
Security: CVE-2010-4015
Diffstat (limited to 'src')
0 files changed, 0 insertions, 0 deletions