git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Nathan Bossart <nathan@postgresql.org>
	Mon, 11 May 2026 12:13:47 +0000 (05:13 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 11 May 2026 12:13:47 +0000 (05:13 -0700)
commit	bd48114937c8af9cb86972e2b576924a761359cf
tree	d4d6524117d830f7c6dd5c4a26a96307ffe19c2c	tree \| snapshot
parent	6d68fcb28f9180289d1910d3fa7fca2d32021730	commit \| diff

Mark PQfn() unsafe and fix overrun in frontend LO interface.

When result_is_int is set to 0, PQfn() cannot validate that the
result fits in result_buf, so it will write data beyond the end of
the buffer when the server returns more data than requested. Since
this function is insecurable and obsolete, add a warning to the top
of the pertinent documentation advising against its use.

The only in-tree caller of PQfn() is the frontend large object
interface. To fix that, add a buf_size parameter to
pqFunctionCall3() that is used to protect against overruns, and use
it in a private version of PQfn() that also accepts a buf_size
parameter.

Reported-by: Yu Kunpeng <yu443940816@live.com>
Reported-by: Martin Heistermann <martin.heistermann@unibe.ch>
Author: Nathan Bossart <nathandbossart@gmail.com>
Reviewed-by: Noah Misch <noah@leadboat.com>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Etsuro Fujita <etsuro.fujita@gmail.com>
Security: CVE-2026-6477
Backpatch-through: 14

doc/src/sgml/libpq.sgml		diff \| blob \| blame \| history
src/interfaces/libpq/fe-exec.c		diff \| blob \| blame \| history
src/interfaces/libpq/fe-lobj.c		diff \| blob \| blame \| history
src/interfaces/libpq/fe-protocol3.c		diff \| blob \| blame \| history
src/interfaces/libpq/libpq-int.h		diff \| blob \| blame \| history