PostgreSQL contains a buffer overflow vulnerability in its to_ascii() function. The to_ascii() function is used to convert text from multibyte encoding format to ASCII, and due to improper bounds checking and unsigned/signed calculations a buffer overflow may occur.
Credit:
The information has been provided by OpenPKG.
The vulnerability has been discovered by Guido Notari.
Vulnerable systems:
* PostgreSQL version 7.2.x
* PostgreSQL version 7.3.1, 7.3.2, 7.3.3
Immune systems:
* PostgreSQL version 7.3.4
In line 66 of the ascii.c it can be clearly seen that: for (x = src; x <= src_end; x++)
{
if (*x < 128)
*desc++ = *x;
The 'x' parameter runs from src to src_end (including), this means that an off by one will occur.
Another problem that also resides in the code: pg_to_ascii(
(unsigned char *) VARDATA(data), /* src */
VARDATA(data) + VARSIZE(data), /* src end */
(unsigned char *) VARDATA(data), /* desc */
enc); /* encoding */
The fact that VARDATA(data) + VARSIZE(data) is calculated, while their types differ, could cause the number/pointer returned by this to point to a negative number, allowing overwriting of arbitrary bytes in the memory (the fix of course is to do a (unsigned char *) casting on the first variable).
