diff options
| author | Daniel Gustafsson | 2024-09-10 09:02:28 +0000 |
|---|---|---|
| committer | Daniel Gustafsson | 2024-09-10 09:02:28 +0000 |
| commit | 390b3cbbb2af3c749587b0697c01c94e0e173510 (patch) | |
| tree | 1d6432a714488645f471cc62abd042a40f266ecd | |
| parent | 56fead44dcc70df9f9188fee08e5aefe3da43ccc (diff) | |
Protect against small overread in SASLprep validation
In case of torn UTF8 in the input data we might end up going
past the end of the string since we don't account for length.
While validation won't be performed on a sequence with a NULL
byte it's better to avoid going past the end to beging with.
Fix by taking the length into consideration.
Author: Jacob Champion <[email protected]>
Reviewed-by: Daniel Gustafsson <[email protected]>
Discussion: https://postgr.es/m/CAOYmi+mTnmM172g=_+Yvc47hzzeAsYPy2C4UBY3HK9p-AXNV0g@mail.gmail.com
| -rw-r--r-- | src/common/saslprep.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/common/saslprep.c b/src/common/saslprep.c index 315ccacd7c..78f6fcbd80 100644 --- a/src/common/saslprep.c +++ b/src/common/saslprep.c @@ -1004,15 +1004,17 @@ pg_utf8_string_len(const char *source) const unsigned char *p = (const unsigned char *) source; int l; int num_chars = 0; + size_t len = strlen(source); - while (*p) + while (len) { l = pg_utf_mblen(p); - if (!pg_utf8_islegal(p, l)) + if (len < l || !pg_utf8_islegal(p, l)) return -1; p += l; + len -= l; num_chars++; } |