mirror of
https://github.com/postgres/postgres.git
synced 2026-03-14 06:32:18 -04:00
e58f042d9a
All known standard library implementations of these functions can fail with ENOMEM. A caller neglecting to check for failure would experience missing output, information exposure, or a crash. Check return values within wrappers and code, currently just snprintf.c, that bypasses the wrappers. The wrappers do not return after an error, so their callers need not check. Back-patch to 9.0 (all supported versions). Popular free software standard library implementations do take pains to bypass malloc() in simple cases, but they risk ENOMEM for floating point numbers, positional arguments, large field widths, and large precisions. No specification demands such caution, so this commit regards every call to a printf family function as a potential threat. Injecting the wrappers implicitly is a compromise between patch scope and design goals. I would prefer to edit each call site to name a wrapper explicitly. libpq and the ECPG libraries would, ideally, convey errors to the caller rather than abort(). All that would be painfully invasive for a back-patched security fix, hence this compromise. Security: CVE-2015-3166 |
||
|---|---|---|
| .. | ||
| compatlib | ||
| ecpglib | ||
| include | ||
| pgtypeslib | ||
| preproc | ||
| test | ||
| Makefile | ||
| README.dynSQL | ||
src/interfaces/ecpg/README.dynSQL descriptor statements have the following shortcomings - input descriptors (USING DESCRIPTOR <name>) are not supported Reason: to fully support dynamic SQL the frontend/backend communication should change to recognize input parameters. Since this is not likely to happen in the near future and you can cover the same functionality with the existing infrastructure (using s[n]printf), I'll leave the work to someone else.