diff options
| author | Noah Misch <noah@leadboat.com> | 2014-02-17 09:33:31 -0500 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2014-02-17 09:33:32 -0500 |
| commit | 7a362a176a5c6621b58fb3897b2a4cb15b975810 (patch) | |
| tree | b6c052e2e69fe1424ee0e0868aa609fe2da28ebb /contrib/intarray/_int.h | |
| parent | e4a4fa22352b062bc3548c91fa9bfc6caed7b073 (diff) | |
| download | postgresql-7a362a176a5c6621b58fb3897b2a4cb15b975810.tar.gz postgresql-7a362a176a5c6621b58fb3897b2a4cb15b975810.zip | |
Predict integer overflow to avoid buffer overruns.
Several functions, mostly type input functions, calculated an allocation
size such that the calculation wrapped to a small positive value when
arguments implied a sufficiently-large requirement. Writes past the end
of the inadvertent small allocation followed shortly thereafter.
Coverity identified the path_in() vulnerability; code inspection led to
the rest. In passing, add check_stack_depth() to prevent stack overflow
in related functions.
Back-patch to 8.4 (all supported versions). The non-comment hstore
changes touch code that did not exist in 8.4, so that part stops at 9.0.
Noah Misch and Heikki Linnakangas, reviewed by Tom Lane.
Security: CVE-2014-0064
Diffstat (limited to 'contrib/intarray/_int.h')
| -rw-r--r-- | contrib/intarray/_int.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/contrib/intarray/_int.h b/contrib/intarray/_int.h index 56aa23cfde0..7f93206e890 100644 --- a/contrib/intarray/_int.h +++ b/contrib/intarray/_int.h @@ -5,6 +5,7 @@ #define ___INT_H__ #include "utils/array.h" +#include "utils/memutils.h" /* number ranges for compression */ #define MAXNUMRANGE 100 @@ -137,6 +138,7 @@ typedef struct QUERYTYPE #define HDRSIZEQT offsetof(QUERYTYPE, items) #define COMPUTESIZE(size) ( HDRSIZEQT + (size) * sizeof(ITEM) ) +#define QUERYTYPEMAXITEMS ((MaxAllocSize - HDRSIZEQT) / sizeof(ITEM)) #define GETQUERY(x) ( (x)->items ) /* "type" codes for ITEM */ |