Prevent buffer overrun while parsing an integer in a "query_int" value.

contrib/intarray's gettoken() uses a fixed-size buffer to collect an
integer's digits, and did not guard against overrunning the buffer.
This is at least a backend crash risk, and in principle might allow
arbitrary code execution.  The code didn't check for overflow of the
integer value either, which while not presenting a crash risk was still
bad.

Thanks to Apple Inc's security team for reporting this issue and supplying
the fix.

Security: CVE-2010-4015

diff --git a/contrib/intarray/_int_bool.c b/contrib/intarray/_int_bool.c
index 3492100c0c2f9590f403660c86aedbfc17d686f9..072e8cc89773b052be3f0a805067db7ab3b0c8bc 100644 (file)
--- a/contrib/intarray/_int_bool.c
+++ b/contrib/intarray/_int_bool.c
@@ -56,24 +56,25 @@ typedef struct
 static int4
 gettoken(WORKSTATE *state, int4 *val)
 {
-       char            nnn[16],
-                          *curnnn;
+       char            nnn[16];
+       int                     innn;
 
        *val = 0;                                       /* default result */
 
-       curnnn = nnn;
+       innn = 0;
        while (1)
        {
+               if (innn >= sizeof(nnn))
+                       return ERR;                     /* buffer overrun => syntax error */
                switch (state->state)
                {
                        case WAITOPERAND:
-                               curnnn = nnn;
+                               innn = 0;
                                if ((*(state->buf) >= '0' && *(state->buf) <= '9') ||
                                        *(state->buf) == '-')
                                {
                                        state->state = WAITENDOPERAND;
-                                       *curnnn = *(state->buf);
-                                       curnnn++;
+                                       nnn[innn++] = *(state->buf);
                                }
                                else if (*(state->buf) == '!')
                                {
@@ -93,13 +94,18 @@ gettoken(WORKSTATE *state, int4 *val)
                        case WAITENDOPERAND:
                                if (*(state->buf) >= '0' && *(state->buf) <= '9')
                                {
-                                       *curnnn = *(state->buf);
-                                       curnnn++;
+                                       nnn[innn++] = *(state->buf);
                                }
                                else
                                {
-                                       *curnnn = '\0';
-                                       *val = (int4) atoi(nnn);
+                                       long    lval;
+
+                                       nnn[innn] = '\0';
+                                       errno = 0;
+                                       lval = strtol(nnn, NULL, 0);
+                                       *val = (int4) lval;
+                                       if (errno != 0 || (long) *val != lval)
+                                               return ERR;
                                        state->state = WAITOPERATOR;
                                        return (state->count && *(state->buf) == '\0')
                                                ? ERR : VAL;