Fix possible buffer overrun and/or unportable behavior in pg_md5_encrypt()

if salt_len == 0.  This seems to be mostly academic, since nearly all calling
code paths guarantee nonempty salt; the only case that doesn't is
PQencryptPassword where the caller could mistakenly pass an empty username.
So, fix it but don't bother backpatching.  Per ljb.

diff --git a/src/backend/libpq/md5.c b/src/backend/libpq/md5.c
index f77975d780aea90ffbc16f9c2da9d932b3e49eed..bb055565f97881104f0c11c2900542e39406f6a1 100644 (file)
--- a/src/backend/libpq/md5.c
+++ b/src/backend/libpq/md5.c
@@ -314,7 +314,8 @@ pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len,
                           char *buf)
 {
        size_t          passwd_len = strlen(passwd);
-       char       *crypt_buf = malloc(passwd_len + salt_len);
+       /* +1 here is just to avoid risk of unportable malloc(0) */
+       char       *crypt_buf = malloc(passwd_len + salt_len + 1);
        bool            ret;
 
        if (!crypt_buf)
@@ -324,7 +325,7 @@ pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len,
         * Place salt at the end because it may be known by users trying to crack
         * the MD5 output.
         */
-       strcpy(crypt_buf, passwd);
+       memcpy(crypt_buf, passwd, passwd_len);
        memcpy(crypt_buf + passwd_len, salt, salt_len);
 
        strcpy(buf, "md5");