diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2011-01-27 17:41:46 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2011-01-27 17:43:07 -0500 |
| commit | d6d145673f8df3bd05939b1781e99acead9daae5 (patch) | |
| tree | 99439793cb2c5cfd188ef2a9758d068d2e2b887c /src | |
| parent | 67dbe720f6ba18393cd85574718aa2683b77a212 (diff) | |
Prevent buffer overrun while parsing an integer in a "query_int" value.
contrib/intarray's gettoken() uses a fixed-size buffer to collect an
integer's digits, and did not guard against overrunning the buffer.
This is at least a backend crash risk, and in principle might allow
arbitrary code execution. The code didn't check for overflow of the
integer value either, which while not presenting a crash risk was still
bad.
Thanks to Apple Inc's security team for reporting this issue and supplying
the fix.
Security: CVE-2010-4015
Diffstat (limited to 'src')
0 files changed, 0 insertions, 0 deletions