From: Bruce Momjian Date: Wed, 20 Nov 1996 22:53:10 +0000 (+0000) Subject: There is a bug in aclinsert3 in the code which update the acl arrays. X-Git-Tag: REL2_0~80 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c4d6bda2c56a9252364272bd0a8779a5a815872b;p=postgresql There is a bug in aclinsert3 in the code which update the acl arrays. When an acl item is added or updated the new entry is deleted if it has no permissions and the acl array is shrinked. This is is done by decrementing the number of items without updating the corresponding array size. The array with the incorrect size is later read by pg_aclcheck and the entry count is used to allocate a new array while the array size is used to copy the old one. This causes a memory corruption and a backend crash. This happens only to normal user as the administrator bypasses acl checks. Massimo Dal Zotto --- diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c index 76c0f91be8..60752ea8c9 100644 --- a/src/backend/utils/adt/acl.c +++ b/src/backend/utils/adt/acl.c @@ -7,7 +7,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/utils/adt/acl.c,v 1.7 1996/11/17 04:26:59 momjian Exp $ + * $Header: /cvsroot/pgsql/src/backend/utils/adt/acl.c,v 1.8 1996/11/20 22:53:10 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -417,6 +417,8 @@ aclinsert3(Acl *old_acl, AclItem *mod_aip, unsigned modechg) new_aip[i-1].ai_mode = new_aip[i].ai_mode; } ARR_DIMS(new_acl)[0] = num -1 ; + /* Adjust also the array size because it is used for memmove */ + ARR_SIZE(new_acl) -= sizeof(AclItem); break; } }