| From: | Neil Conway <neilc(at)samurai(dot)com> |
|---|---|
| To: | Sir Mordred The Traitor <mordred(at)s-mail(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: @(#)Mordre Labs advisory 0x0005: Several buffer overruns in PostgreSQL |
| Date: | 2002-08-28 19:10:57 |
| Message-ID: | 87elcidcji.fsf@mailbox.samurai.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Sir Mordred The Traitor <mordred(at)s-mail(dot)com> writes:
> Upon invoking a polygon(integer, circle) function a
> src/backend/utils/adt/geo_ops.c:circle_poly() function will gets
> called, which suffers from a buffer overflow.
>
> 2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a
> buffer overrun condition. It is called in multiple places, the most
> interesting are path_out() and poly_out() functions.
> 5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect
> a simple buffer overrun.
I've attached a patch which should fix these problems.
> 3) Upon converting a char string to a path object, a
> src/backend/utils/adt/geo_ops.c:path_in() function will gets called,
> which suffers from a buffer overrun, caused by a very long argument.
> 4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to
> detect a buffer overrun condition caused by a very long argument.
I wasn't able to reproduce either of these (wouldn't it require an
input string with several hundred thousand commas?), can you give me a
test-case?
Cheers,
Neil
--
Neil Conway <neilc(at)samurai(dot)com> || PGP Key ID: DB3C29FC
| Attachment | Content-Type | Size |
|---|---|---|
| geo_fixes-1.patch | text/x-patch | 3.3 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2002-08-28 19:11:09 | Re: [HACKERS] Proposed GUC Variable |
| Previous Message | Larry Rosenman | 2002-08-28 19:07:57 | Re: [HACKERS] Proposed GUC Variable |