| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: Fix heap-buffer-overflow in pglz_decompress() on corrupt input. |
| Date: | 2026-04-10 14:39:44 |
| Message-ID: | E1wBD1L-000Jfs-1s@gemulon.postgresql.org |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Fix heap-buffer-overflow in pglz_decompress() on corrupt input.
When decoding a match tag, pglz_decompress() reads 2 bytes (or 3
for extended-length matches) from the source buffer before checking
whether enough data remains. The existing bounds check (sp > srcend)
occurs after the reads, so truncated compressed data that ends
mid-tag causes a read past the allocated buffer.
Fix by validating that sufficient source bytes are available before
reading each part of the match tag. The post-read sp > srcend
check is no longer needed and is removed.
Found by fuzz testing with libFuzzer and AddressSanitizer.
Backpatch-through: 14
Branch
------
REL_15_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/c88ad3a2122eae875b77eb5cba3b7bda5c92f251
Modified Files
--------------
src/common/pg_lzcompress.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fujii Masao | 2026-04-10 15:34:18 | Re: pgsql: ssl: Serverside SNI support for libpq |
| Previous Message | Andrew Dunstan | 2026-04-10 14:21:48 | pgsql: Fix incremental JSON parser numeric token reassembly across chun |