git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Noah Misch <noah@leadboat.com>
	Mon, 5 May 2025 11:52:04 +0000 (04:52 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 5 May 2025 11:52:07 +0000 (04:52 -0700)
commit	d1264948fccef7a7eac549b78d327f4d1640e946
tree	6eaabf679d243dba4c91ede3f3fa4e111f2989be	tree \| snapshot
parent	f3bb0b2c4a1a09efa18a76a153269d24980163d4	commit \| diff

With GB18030, prevent SIGSEGV from reading past end of allocation.

With GB18030 as source encoding, applications could crash the server via
SQL functions convert() or convert_from().  Applications themselves
could crash after passing unterminated GB18030 input to libpq functions
PQescapeLiteral(), PQescapeIdentifier(), PQescapeStringConn(), or
PQescapeString().  Extension code could crash by passing unterminated
GB18030 input to jsonapi.h functions.  All those functions have been
intended to handle untrusted, unterminated input safely.

A crash required allocating the input such that the last byte of the
allocation was the last byte of a virtual memory page.  Some malloc()
implementations take measures against that, making the SIGSEGV hard to
reach.  Back-patch to v13 (all supported versions).

Author: Noah Misch <noah@leadboat.com>
Author: Andres Freund <andres@anarazel.de>
Reviewed-by: Masahiko Sawada <sawada.mshk@gmail.com>
Backpatch-through: 13
Security: CVE-2025-4207

src/backend/utils/mb/mbutils.c		diff \| blob \| blame \| history
src/common/jsonapi.c		diff \| blob \| blame \| history
src/common/wchar.c		diff \| blob \| blame \| history
src/include/mb/pg_wchar.h		diff \| blob \| blame \| history
src/interfaces/libpq/fe-exec.c		diff \| blob \| blame \| history
src/interfaces/libpq/fe-misc.c		diff \| blob \| blame \| history
src/test/modules/test_escape/test_escape.c		diff \| blob \| blame \| history
src/test/regress/expected/conversion.out		diff \| blob \| blame \| history
src/test/regress/sql/conversion.sql		diff \| blob \| blame \| history