From: Kevin Grittner Date: Fri, 15 Nov 2013 14:27:42 +0000 (-0600) Subject: Fix buffer overrun in isolation test program. X-Git-Tag: REL9_4_BETA1~941 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7cb964acb794078ef033cbf2e3a0e7670c8992a9;p=postgresql Fix buffer overrun in isolation test program. Commit 061b88c732952c59741374806e1e41c1ec845d50 saved argv0 to a global buffer without ensuring that it was zero terminated, allowing references to it to overrun the buffer and access other memory. This probably would not have presented any security risk, but could have resulted in very confusing failures if the path to the executable was very long. Reported by David Rowley --- diff --git a/src/test/isolation/isolation_main.c b/src/test/isolation/isolation_main.c index 94f01b81d3..78604375ab 100644 --- a/src/test/isolation/isolation_main.c +++ b/src/test/isolation/isolation_main.c @@ -98,6 +98,8 @@ isolation_start_test(const char *testname, static void isolation_init(int argc, char **argv) { + size_t argv0_len; + /* * We unfortunately cannot do the find_other_exec() lookup to find the * "isolationtester" binary here. regression_main() calls the @@ -107,7 +109,13 @@ isolation_init(int argc, char **argv) * does to fail since it's linked to libpq. So we instead copy argv[0] * and do the lookup the first time through isolation_start_test(). */ - strncpy(saved_argv0, argv[0], MAXPGPATH); + argv0_len = strlcpy(saved_argv0, argv[0], MAXPGPATH); + if (argv0_len >= MAXPGPATH) + { + fprintf(stderr, _("path for isolationtester executable is longer than %i bytes\n"), + (int) (MAXPGPATH - 1)); + exit(2); + } /* set default regression database name */ add_stringlist_item(&dblist, "isolationtest");