From b515c6b5fafdff43e61017bc8494b4979f45d89c Mon Sep 17 00:00:00 2001 From: Marko Kreen Date: Fri, 11 Sep 2009 14:23:59 +0000 Subject: [PATCH] Fix potential buffer overflow when len(typname) > 32 The fixed size buffer tmp[32] was not updated when type casting was added. Reported by Ian Sollars --- src/query.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/query.c b/src/query.c index 1deba9a..c734bf0 100644 --- a/src/query.c +++ b/src/query.c @@ -69,13 +69,13 @@ plproxy_query_add_const(QueryBuffer *q, const char *data) static void add_ref(StringInfo buf, int sql_idx, ProxyFunction *func, int fn_idx, bool add_type) { - char tmp[32]; + char tmp[1 + 3 + 2 + NAMEDATALEN*2 + 1]; if (add_type) - sprintf(tmp, "$%d::%s", sql_idx + 1, + snprintf(tmp, sizeof(tmp), "$%d::%s", sql_idx + 1, func->arg_types[fn_idx]->name); else - sprintf(tmp, "$%d", sql_idx + 1); + snprintf(tmp, sizeof(tmp), "$%d", sql_idx + 1); appendStringInfoString(buf, tmp); } -- 2.39.5