git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Nathan Bossart <nathan@postgresql.org>
	Mon, 11 May 2026 12:13:48 +0000 (05:13 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 11 May 2026 12:13:48 +0000 (05:13 -0700)
commit	be013644043e5bae7260c09ab49cc6d64b7992be
tree	1f859a69bc64f28979445cac7612f3fad0128a5b	tree \| snapshot
parent	67dd6243dc95df560ff3c31ed5b6e9474d98c4c3	commit \| diff

Mark PQfn() unsafe and fix overrun in frontend LO interface.

When result_is_int is set to 0, PQfn() cannot validate that the
result fits in result_buf, so it will write data beyond the end of
the buffer when the server returns more data than requested. Since
this function is insecurable and obsolete, add a warning to the top
of the pertinent documentation advising against its use.

The only in-tree caller of PQfn() is the frontend large object
interface. To fix that, add a buf_size parameter to
pqFunctionCall3() that is used to protect against overruns, and use
it in a private version of PQfn() that also accepts a buf_size
parameter.

Reported-by: Yu Kunpeng <yu443940816@live.com>
Reported-by: Martin Heistermann <martin.heistermann@unibe.ch>
Author: Nathan Bossart <nathandbossart@gmail.com>
Reviewed-by: Noah Misch <noah@leadboat.com>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Etsuro Fujita <etsuro.fujita@gmail.com>
Security: CVE-2026-6477
Backpatch-through: 14

doc/src/sgml/libpq.sgml		diff \| blob \| blame \| history
src/interfaces/libpq/fe-exec.c		diff \| blob \| blame \| history
src/interfaces/libpq/fe-lobj.c		diff \| blob \| blame \| history
src/interfaces/libpq/fe-protocol3.c		diff \| blob \| blame \| history
src/interfaces/libpq/libpq-int.h		diff \| blob \| blame \| history