From ec5f89e8a29f32c7dbc4dd8734ed8406d771de2f Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Mon, 5 May 2025 04:52:04 -0700 Subject: With GB18030, prevent SIGSEGV from reading past end of allocation. With GB18030 as source encoding, applications could crash the server via SQL functions convert() or convert_from(). Applications themselves could crash after passing unterminated GB18030 input to libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeStringConn(), or PQescapeString(). Extension code could crash by passing unterminated GB18030 input to jsonapi.h functions. All those functions have been intended to handle untrusted, unterminated input safely. A crash required allocating the input such that the last byte of the allocation was the last byte of a virtual memory page. Some malloc() implementations take measures against that, making the SIGSEGV hard to reach. Back-patch to v13 (all supported versions). Author: Noah Misch Author: Andres Freund Reviewed-by: Masahiko Sawada Backpatch-through: 13 Security: CVE-2025-4207 --- src/common/jsonapi.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'src/common/jsonapi.c') diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c index 2527dbe1da9..cd34986d1a4 100644 --- a/src/common/jsonapi.c +++ b/src/common/jsonapi.c @@ -1689,8 +1689,11 @@ json_lex_string(JsonLexContext *lex) } while (0) #define FAIL_AT_CHAR_END(code) \ do { \ - const char *term = s + pg_encoding_mblen(lex->input_encoding, s); \ - lex->token_terminator = (term <= end) ? term : end; \ + ptrdiff_t remaining = end - s; \ + int charlen; \ + charlen = pg_encoding_mblen_or_incomplete(lex->input_encoding, \ + s, remaining); \ + lex->token_terminator = (charlen <= remaining) ? s + charlen : end; \ return code; \ } while (0) -- cgit v1.2.3