Commit 69bcdf5

committed

Fix possible uninitalized pointer access on unexpected array message data

When receiving multi-dimensional array data from the server, make sure the dimensions are valid. Fixes CVE-2020-17446. Reported-by: Robert Scott <bugs@humanleg.org.uk>

1 parent 39040b3 commit 69bcdf5Copy full SHA for 69bcdf5

File tree

1 file changed

+16

-7

lines changed

asyncpg/protocol/codecs
- array.pyx

1 file changed

+16

-7

lines changed

`‎asyncpg/protocol/codecs/array.pyx‎`

Lines changed: 16 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -286,16 +286,21 @@ cdef inline array_decode(ConnectionSettings settings, FRBuffer *buf,`
`286`	`286`	`Codec elem_codec`
`287`	`287`
`288`	`288`	`if ndims == 0:`
`289`		`- result = cpython.PyList_New(0)`
`290`		`- return result`
	`289`	`+ return []`
`291`	`290`
`292`	`291`	`if ndims > ARRAY_MAXDIM:`
`293`	`292`	`raise exceptions.ProtocolError(`
`294`	`293`	`'number of array dimensions ({}) exceed the maximum expected ({})'.`
`295`	`294`	`format(ndims, ARRAY_MAXDIM))`
	`295`	`+ elif ndims < 0:`
	`296`	`+ raise exceptions.ProtocolError(`
	`297`	`+ 'unexpected array dimensions value: {}'.format(ndims))`
`296`	`298`
`297`	`299`	`for i in range(ndims):`
`298`	`300`	`dims[i] = hton.unpack_int32(frb_read(buf, 4))`
	`301`	`+ if dims[i] < 0:`
	`302`	`+ raise exceptions.ProtocolError(`
	`303`	`+ 'unexpected array dimension size: {}'.format(dims[i]))`
`299`	`304`	`# Ignore the lower bound information`
`300`	`305`	`frb_read(buf, 4)`
`301`	`306`
`@@ -340,14 +345,18 @@ cdef _nested_array_decode(ConnectionSettings settings,`
`340`	`345`	`# An array of current positions at each array level.`
`341`	`346`	`int32_t indexes[ARRAY_MAXDIM]`
`342`	`347`
`343`		`- if PG_DEBUG:`
`344`		`- if ndims <= 0:`
`345`		`- raise exceptions.ProtocolError(`
`346`		`- 'unexpected ndims value: {}'.format(ndims))`
`347`		`-`
`348`	`348`	`for i in range(ndims):`
`349`	`349`	`array_len *= dims[i]`
`350`	`350`	`indexes[i] = 0`
	`351`	`+ strides[i] = NULL`
	`352`	`+`
	`353`	`+ if array_len == 0:`
	`354`	`+ # A multidimensional array with a zero-sized dimension?`
	`355`	`+ return []`
	`356`	`+`
	`357`	`+ elif array_len < 0:`
	`358`	`+ # Array length overflow`
	`359`	`+ raise exceptions.ProtocolError('array length overflow')`
`351`	`360`
`352`	`361`	`for i in range(array_len):`
`353`	`362`	`# Decode the element.`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 69bcdf5

File tree

1 file changed

1 file changed

`‎asyncpg/protocol/codecs/array.pyx‎`

0 commit comments