| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Potential buffer overrun in spell.c's CheckAffix() |
| Date: | 2026-04-21 17:32:24 |
| Message-ID: | 641711.1776792744@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
CheckAffix is used by our ispell text search dictionaries to attach a
prefix or suffix to a given base word. The input word is known to be
no longer than MAXNORMLEN (256), and an output buffer of size
MAXNORMLEN * 2 is provided. But there's not any a-priori limit on the
length of a prefix or suffix string, so in principle a buffer overflow
could occur.
In practice these limits seem like more than plenty for any real-world
word, so I think it's sufficient to just reject the prefix or suffix
if an overflow would occur, as attached.
This bug was reported to pgsql-security by Xint Code as a potential
security issue. However we decided it doesn't seem worth the CVE
treatment, because exploiting it would require getting a malicious
ispell dictionary installed in a PG server. Putting the .dict file
into the installation's file tree would require superuser privileges,
and so would creating a text dictionary SQL object that references it.
Maybe an attacker could persuade a gullible DBA to do that, but there
are plenty of other attack pathways available if you're that
persuasive.
Despite that, it seems worth fixing as a run-of-the-mill bug.
Any objections to the attached?
regards, tom lane
| Attachment | Content-Type | Size |
|---|---|---|
| v1-0001-Prevent-buffer-overrun-in-spell.c-s-CheckAffix.patch | text/x-diff | 3.3 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2026-04-21 22:35:09 | Re: Potential buffer overrun in spell.c's CheckAffix() |
| Previous Message | Tom Lane | 2026-04-21 17:00:21 | to_char() vs. long numeric formatting strings from locale |