Bug 583690: (CVE-2010-2759) [SECURITY][PostgreSQL] Bugzilla crashes when viewing a bug if a comment contains 'bug <num>' or 'attachment <num>' where <num> is greater than the max allowed integer

r=mkanat a=LpSolit
author: Frédéric Buclin <LpSolit@gmail.com> 2010-08-05 00:10:22 +0200
committer: Frédéric Buclin <LpSolit@gmail.com> 2010-08-05 00:10:22 +0200
commit: 861fef876f3cb8a50437ee41b6ba4c8d0cb1e239 (patch)
tree: b76de5a3b2541e76ee018f6a7e8afd33ecf8f979 /Bugzilla/Object.pm
parent: 2ea4b3d38e8a012f61d20e6831daaf06493c3d95 (diff)
download: bugzilla-861fef876f3cb8a50437ee41b6ba4c8d0cb1e239.tar.gz
bugzilla-861fef876f3cb8a50437ee41b6ba4c8d0cb1e239.tar.xz
1 files changed, 5 insertions, 0 deletions
diff --git a/Bugzilla/Object.pm b/Bugzilla/Object.pm
index a7c92b269..66dac9422 100644
--- a/Bugzilla/Object.pm
+++ b/Bugzilla/Object.pm
@@ -87,6 +87,9 @@ sub _init {
           || ThrowCodeError('param_must_be_numeric',
                             {function => $class . '::_init'});
 
+        # Too large integers make PostgreSQL crash.
+        return if $id > MAX_INT_32;
+
         $object = $dbh->selectrow_hashref(qq{
             SELECT $columns FROM $table
              WHERE $id_field = ?}, undef, $id);
@@ -165,6 +168,8 @@ sub new_from_list {
         detaint_natural($id) ||
             ThrowCodeError('param_must_be_numeric',
                           {function => $class . '::new_from_list'});
+        # Too large integers make PostgreSQL crash.
+        next if $id > MAX_INT_32;
         push(@detainted_ids, $id);
     }
     # We don't do $invocant->match because some classes have
author	Frédéric Buclin <LpSolit@gmail.com>	2010-08-05 00:10:22 +0200
committer	Frédéric Buclin <LpSolit@gmail.com>	2010-08-05 00:10:22 +0200
commit	861fef876f3cb8a50437ee41b6ba4c8d0cb1e239 (patch)
tree	b76de5a3b2541e76ee018f6a7e8afd33ecf8f979 /Bugzilla/Object.pm
parent	2ea4b3d38e8a012f61d20e6831daaf06493c3d95 (diff)
download	bugzilla-861fef876f3cb8a50437ee41b6ba4c8d0cb1e239.tar.gz bugzilla-861fef876f3cb8a50437ee41b6ba4c8d0cb1e239.tar.xz