Fix buffer overrun after incomplete read in pullf_read_max().

Most callers pass a stack buffer. The ensuing stack smash can crash the server, and we have not ruled out the viability of attacks that lead to privilege escalation. Back-patch to 9.0 (all supported versions). Marko Tiikkaja Security: CVE-2015-0243
2025-07-27 12:41:57 +03:00 · 2015-02-02 10:00:45 -05:00
parent 9e05c5063e
commit ce6f261cd2
4 changed files with 53 additions and 1 deletions
--- a/contrib/pgcrypto/mbuf.c
+++ b/contrib/pgcrypto/mbuf.c
@ -305,6 +305,7 @@ pullf_read_max(PullFilter *pf, int len, uint8 **data_p, uint8 *tmpbuf)
 			break;
 		memcpy(tmpbuf + total, tmp, res);
 		total += res;
+		len -= res;
 	}
 	return total;
 }