Fix buffer overrun after incomplete read in pullf_read_max().

Most callers pass a stack buffer. The ensuing stack smash can crash the server, and we have not ruled out the viability of attacks that lead to privilege escalation. Back-patch to 9.0 (all supported versions). Marko Tiikkaja Security: CVE-2015-0243
2025-07-28 23:42:10 +03:00 · 2015-02-02 10:00:45 -05:00
parent bc4d5f2e57
commit 6994f07907
4 changed files with 54 additions and 1 deletions
--- a/contrib/pgcrypto/mbuf.c
+++ b/contrib/pgcrypto/mbuf.c
@ -305,6 +305,7 @@ pullf_read_max(PullFilter *pf, int len, uint8 **data_p, uint8 *tmpbuf)
 			break;
 		memcpy(tmpbuf + total, tmp, res);
 		total += res;
+		len -= res;
 	}
 	return total;
 }