database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-27 23:21:58 +03:00
Code Activity

With GB18030, prevent SIGSEGV from reading past end of allocation.

Browse Source 
With GB18030 as source encoding, applications could crash the server via
SQL functions convert() or convert_from().  Applications themselves
could crash after passing unterminated GB18030 input to libpq functions
PQescapeLiteral(), PQescapeIdentifier(), PQescapeStringConn(), or
PQescapeString().  Extension code could crash by passing unterminated
GB18030 input to jsonapi.h functions.  All those functions have been
intended to handle untrusted, unterminated input safely.

A crash required allocating the input such that the last byte of the
allocation was the last byte of a virtual memory page.  Some malloc()
implementations take measures against that, making the SIGSEGV hard to
reach.  Back-patch to v13 (all supported versions).

Author: Noah Misch <noah@leadboat.com>
Author: Andres Freund <andres@anarazel.de>
Reviewed-by: Masahiko Sawada <sawada.mshk@gmail.com>
Backpatch-through: 13
Security: CVE-2025-4207
This commit is contained in:
Noah Misch
2025-05-05 04:52:04 -07:00
parent 7279e58205
commit cbadeaca92
7 changed files with 171 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/backend/utils/mb/mbutils.c
View File

@ -971,7 +971,7 @@ pg_mbcliplen(const char *mbstr, int len, int limit)
}
/*
* pg_mbcliplen with specified encoding
* pg_mbcliplen with specified encoding; string must be valid in encoding
*/
int
pg_encoding_mbcliplen(int encoding, const char *mbstr,
@ -1569,12 +1569,12 @@ check_encoding_conversion_args(int src_encoding,
* report_invalid_encoding: complain about invalid multibyte character
*
* note: len is remaining length of string, not length of character;
* len must be greater than zero, as we always examine the first byte.
* len must be greater than zero (or we'd neglect initializing "buf").
*/
void
report_invalid_encoding(int encoding, const char *mbstr, int len)
{
int l = pg_encoding_mblen(encoding, mbstr);
int l = pg_encoding_mblen_or_incomplete(encoding, mbstr, len);
char buf[8 * 5 + 1];
char *p = buf;
int j,
@ -1601,18 +1601,26 @@ report_invalid_encoding(int encoding, const char *mbstr, int len)
* report_untranslatable_char: complain about untranslatable character
*
* note: len is remaining length of string, not length of character;
* len must be greater than zero, as we always examine the first byte.
* len must be greater than zero (or we'd neglect initializing "buf").
*/
void
report_untranslatable_char(int src_encoding, int dest_encoding,
const char *mbstr, int len)
{
int l = pg_encoding_mblen(src_encoding, mbstr);
int l;
char buf[8 * 5 + 1];
char *p = buf;
int j,
jlimit;
/*
* We probably could use plain pg_encoding_mblen(), because
* gb18030_to_utf8() verifies before it converts. All conversions should.
* For src_encoding!=GB18030, len>0 meets pg_encoding_mblen() needs. Even
* so, be defensive, since a buggy conversion might pass invalid data.
* This is not a performance-critical path.
*/
l = pg_encoding_mblen_or_incomplete(src_encoding, mbstr, len);
jlimit = Min(l, len);
jlimit = Min(jlimit, 8); /* prevent buffer overrun */