search

lib / pq

Pure Go Postgres driver for database/sql
https://pkg.go.dev/github.com/lib/pq
MIT License
8.89k stars 906 forks source link

possible integer truncation #1055

Closed jfcg closed 2 years ago

jfcg commented 2 years ago

https://github.com/lib/pq/blob/756b4d73db86a374aecc8bb20f134f8c4dc81a49/encode.go#L562-L566 r is converted to byte, so it seems that the last parameter to ParseInt should be 8 instead of 9. Also, ParseUint should be used instead.

https://github.com/lib/pq/blob/756b4d73db86a374aecc8bb20f134f8c4dc81a49/array.go#L590-L594 Instead of Atoi, ParseInt(string(v), 10, 32) should be used.

Discovered by CodeQL.

cbandy commented 2 years ago

https://github.com/lib/pq/blob/756b4d73db86a374aecc8bb20f134f8c4dc81a49/encode.go#L562-L566

r is converted to byte, so it seems that the last parameter to ParseInt should be 8 instead of 9. Also, ParseUint should be used instead.

ParseInt returns an error when parsing text greater than 0o177 into 8 bits. The fix is to use ParseUint(…, 8, 8) as you've said.

https://github.com/lib/pq/blob/756b4d73db86a374aecc8bb20f134f8c4dc81a49/array.go#L590-L594

Instead of Atoi, ParseInt(string(v), 10, 32) should be used. Discovered by CodeQL.

Agreed. The Int64 parser does so already, and database/sql behaves similarly.

https://github.com/lib/pq/blob/756b4d73db86a374aecc8bb20f134f8c4dc81a49/array.go#L529-L531

https://github.com/golang/go/blob/0406d3a8e5301bd5fd697018e6e8fbb9c75eeb42/src/database/sql/convert.go#L434-L439