git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Nathan Bossart <nathan@postgresql.org>
	Mon, 11 May 2026 12:13:51 +0000 (05:13 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 11 May 2026 12:13:51 +0000 (05:13 -0700)
commit	8ac723b2bc992fd86b09ae73c7c610242c4c037e
tree	54455250a8b95a3827218c4e0dc7545de1c34d52	tree \| snapshot
parent	8e81995de30c5a1834d7dae56a6396067d491975	commit \| diff

Mark PQfn() unsafe and fix overrun in frontend LO interface.

When result_is_int is set to 0, PQfn() cannot validate that the
result fits in result_buf, so it will write data beyond the end of
the buffer when the server returns more data than requested. Since
this function is insecurable and obsolete, add a warning to the top
of the pertinent documentation advising against its use.

The only in-tree caller of PQfn() is the frontend large object
interface. To fix that, add a buf_size parameter to
pqFunctionCall3() that is used to protect against overruns, and use
it in a private version of PQfn() that also accepts a buf_size
parameter.

Reported-by: Yu Kunpeng <yu443940816@live.com>
Reported-by: Martin Heistermann <martin.heistermann@unibe.ch>
Author: Nathan Bossart <nathandbossart@gmail.com>
Reviewed-by: Noah Misch <noah@leadboat.com>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Etsuro Fujita <etsuro.fujita@gmail.com>
Security: CVE-2026-6477
Backpatch-through: 14

doc/src/sgml/libpq.sgml		diff \| blob \| blame \| history
src/interfaces/libpq/fe-exec.c		diff \| blob \| blame \| history
src/interfaces/libpq/fe-lobj.c		diff \| blob \| blame \| history
src/interfaces/libpq/fe-protocol3.c		diff \| blob \| blame \| history
src/interfaces/libpq/libpq-int.h		diff \| blob \| blame \| history