From 390b3cbbb2af3c749587b0697c01c94e0e173510 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Tue, 10 Sep 2024 11:02:28 +0200 Subject: [PATCH] Protect against small overread in SASLprep validation In case of torn UTF8 in the input data we might end up going past the end of the string since we don't account for length. While validation won't be performed on a sequence with a NULL byte it's better to avoid going past the end to beging with. Fix by taking the length into consideration. Author: Jacob Champion Reviewed-by: Daniel Gustafsson Discussion: https://postgr.es/m/CAOYmi+mTnmM172g=_+Yvc47hzzeAsYPy2C4UBY3HK9p-AXNV0g@mail.gmail.com --- src/common/saslprep.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/common/saslprep.c b/src/common/saslprep.c index 315ccacd7ce..78f6fcbd805 100644 --- a/src/common/saslprep.c +++ b/src/common/saslprep.c @@ -1004,15 +1004,17 @@ pg_utf8_string_len(const char *source) const unsigned char *p = (const unsigned char *) source; int l; int num_chars = 0; + size_t len = strlen(source); - while (*p) + while (len) { l = pg_utf_mblen(p); - if (!pg_utf8_islegal(p, l)) + if (len < l || !pg_utf8_islegal(p, l)) return -1; p += l; + len -= l; num_chars++; } -- 2.30.2