Skip site navigation (1) Skip section navigation (2)

Peripheral Links

Header And Logo

PostgreSQL
| The world's most advanced open source database.

Site Navigation

Search archives
  Advanced Search

Re: @(#)Mordre Labs advisory 0x0005: Several buffer overruns in PostgreSQL

  • From: Neil Conway <neilc(at)samurai(dot)com>
  • To: Sir Mordred The Traitor <mordred(at)s-mail(dot)com>
  • Cc: pgsql-hackers(at)postgresql(dot)org
  • Subject: Re: @(#)Mordre Labs advisory 0x0005: Several buffer overruns in PostgreSQL
  • Date: 28 Aug 2002 15:10:57 -0400
  • Message-id: <87elcidcji.fsf@mailbox.samurai.com> <text/plain>
Sir Mordred The Traitor <mordred(at)s-mail(dot)com> writes:
> Upon invoking a polygon(integer, circle) function a
> src/backend/utils/adt/geo_ops.c:circle_poly() function will gets
> called, which suffers from a buffer overflow.
> 
> 2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a
> buffer overrun condition. It is called in multiple places, the most
> interesting are path_out() and poly_out() functions.

> 5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect
> a simple buffer overrun.

I've attached a patch which should fix these problems.

> 3) Upon converting a char string to a path object, a
> src/backend/utils/adt/geo_ops.c:path_in() function will gets called,
> which suffers from a buffer overrun, caused by a very long argument.

> 4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to
> detect a buffer overrun condition caused by a very long argument.

I wasn't able to reproduce either of these (wouldn't it require an
input string with several hundred thousand commas?), can you give me a
test-case?

Cheers,

Neil

-- 
Neil Conway <neilc(at)samurai(dot)com> || PGP Key ID: DB3C29FC

Attachment: geo_fixes-1.patch
Description: Text Data

Home | Main Index | Thread Index

Privacy Policy | About PostgreSQL
Copyright © 1996 – 2012 PostgreSQL Global Development Group