|Subject:||Incorrect offset parameter parsing when offset overflows int range limit|
Consider the following code: # get $page_size and $page parameters from an HTTP request somehow. my $sql = SQL::Abstract::Limit->new(limit_dialect => $dbh); my $q = $sql->select("t", "f", undef, undef, $page_size, ($page-1)*$page_size); This looks perfectly reasonable but results in a broken query being generated if ($page-1)*$page_size overflows the range of int (e.g. "rows=2&page=2222222222222222222222222" in the query string) as it's then represented in exponential notation by Perl ("4.44444444444445e+25" in this example) and _get_args() doesn't recognize it as offset any more because it tests for "/^\d+$/" only, and interprets it as the syntax value, which is then, of course, not recognized and a completely invalid query is generated. While this doesn't seem to be immediately exploitable, it would still be better to handle this in some more reasonable way and just take anything specified as offset as being offset instead of interpreting it as syntax. And unknown syntaxes should be detected and rejected instead of silently generating wrong queries, IMO.