From c4d6bda2c56a9252364272bd0a8779a5a815872b Mon Sep 17 00:00:00 2001
From: Bruce Momjian <bruce@momjian.us>
Date: Wed, 20 Nov 1996 22:53:10 +0000
Subject: [PATCH] There is a bug in aclinsert3 in the code which update the acl
 arrays. When an acl item is added or updated the new entry is deleted if it
 has no permissions and the acl array is shrinked. This is is done by
 decrementing the number of items without updating the corresponding array
 size. The array with the incorrect size is later read by pg_aclcheck and the
 entry count is used to allocate a new array while the array size is used to
 copy the old one. This causes a memory corruption and a backend crash. This
 happens only to normal user as the administrator bypasses acl checks. Massimo
 Dal Zotto

---
 src/backend/utils/adt/acl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 76c0f91be84..60752ea8c9e 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -7,7 +7,7 @@
  *
  *
  * IDENTIFICATION
- *    $Header: /cvsroot/pgsql/src/backend/utils/adt/acl.c,v 1.7 1996/11/17 04:26:59 momjian Exp $
+ *    $Header: /cvsroot/pgsql/src/backend/utils/adt/acl.c,v 1.8 1996/11/20 22:53:10 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -417,6 +417,8 @@ aclinsert3(Acl *old_acl, AclItem *mod_aip, unsigned modechg)
 		new_aip[i-1].ai_mode = new_aip[i].ai_mode;
 	    }
 	    ARR_DIMS(new_acl)[0] = num -1 ;
+	    /* Adjust also the array size because it is used for memmove */
+	    ARR_SIZE(new_acl) -= sizeof(AclItem);
 	    break;
 	}
     }
-- 
GitLab