Mark PQfn() unsafe and fix overrun in frontend LO interface. When result_is_int is set to 0, PQfn() cannot validate that the result fits in result_buf, so it will write data beyond the end of the buffer when the server returns more data than requested. Since this function is insecurable and obsolete, add a warning to the top of the pertinent documentation advising against its use.
The only in-tree caller of PQfn() is the frontend large object interface. To fix that, add a buf_size parameter to pqFunctionCall3() that is used to protect against overruns, and use it in a private version of PQfn() that also accepts a buf_size parameter. Reported-by: Yu Kunpeng <[email protected]> Reported-by: Martin Heistermann <[email protected]> Author: Nathan Bossart <[email protected]> Reviewed-by: Noah Misch <[email protected]> Reviewed-by: Tom Lane <[email protected]> Reviewed-by: Etsuro Fujita <[email protected]> Security: CVE-2026-6477 Backpatch-through: 14 Branch ------ REL_15_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/e3a1f83eae4fc1d8281908322189d4f95de873a7 Author: Nathan Bossart <[email protected]> Modified Files -------------- doc/src/sgml/libpq.sgml | 11 ++++++++--- src/interfaces/libpq/fe-exec.c | 16 +++++++++++++++- src/interfaces/libpq/fe-lobj.c | 12 ++++++------ src/interfaces/libpq/fe-protocol3.c | 14 +++++++++++++- src/interfaces/libpq/libpq-int.h | 6 +++++- 5 files changed, 47 insertions(+), 12 deletions(-)
