Sir Mordred The Traitor <[EMAIL PROTECTED]> writes:
> template1=# select substring('xxxxxxxx',2,2147483647);
With CVS HEAD (with database encoding = SQL_ASCII and UNICODE), I get:
nconway=# select substring('xxxxxxxx',2,2147483647);
ERROR: negative substring length not allowed
With REL7_2_STABLE, I get:
template1=# select substring('xxxxxxxx',2,2147483647);
ERROR: MemoryContextAlloc: invalid request size 2147483651
> template1=# select bpchar('x',100000000);
With both CVS HEAD and REL7_2_STABLE, I get:
template1=# select bpchar('x',100000000);
zsh: 7312 segmentation fault (core dumped) ./psql template1
(note that it's the client, and not the backend, that crashes)
Although the backend does allocate a couple hundred megs of memory
while processing the query.
Although I haven't looked at the code yet, it's probably worth noting
that the two test cases posted above are not cut-and-dry DoS
opportunities, AFAICT -- however, the code may still be vulnerable.
Cheers,
Neil
--
Neil Conway <[EMAIL PROTECTED]> || PGP Key ID: DB3C29FC
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
