Participants
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1Tom LaneTom Lane
Apr 22, 16:02

pgsql: Prevent some buffer overruns in spell.c's parsing of affix files

Started by Tom Lane2 months ago1 messagescomitters
Jump to latest
#1Tom Lane
Tom Lane
tgl@sss.pgh.pa.us

Prevent some buffer overruns in spell.c's parsing of affix files.

parse_affentry() and addCompoundAffixFlagValue() each collect fields
from an affix file into working buffers of size BUFSIZ. They failed
to defend against overlength fields, so that a malicious affix file
could cause a stack smash. BUFSIZ (typically 8K) is certainly way
longer than any reasonable affix field, but let's fix this while
we're closing holes in this area.

I chose to do this by silently truncating the input before it can
overrun the buffer, using logic comparable to the existing logic in
get_nextfield(). Certainly there's at least as good an argument for
raising an error, but for now let's follow the existing precedent.

Reported-by: Igor Stepansky <igor.stepansky@orca.security>
Author: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Andrey Borodin <x4mmm@yandex-team.ru>
Discussion: /messages/by-id/864123.1776810909@sss.pgh.pa.us
Backpatch-through: 14

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/d7970e7e951bb39b0d5d7ae633fc7f1af54aa932

Modified Files
--------------
src/backend/tsearch/spell.c | 34 ++++++++++++++++++++++++----------
1 file changed, 24 insertions(+), 10 deletions(-)

← Back to Topics