diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2005-08-15 19:40:43 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2005-08-15 19:40:43 +0000 |
| commit | ab648632eb4d3d36c012350f9c5643deb4736791 (patch) | |
| tree | 39c0d14d59e4e3ee98ec19fe2fa690f95585baba /src/backend/utils/adt/arrayfuncs.c | |
| parent | 497f11845c2f7d4843b5e77d8c774580d1eb5c38 (diff) | |
| download | postgresql-ab648632eb4d3d36c012350f9c5643deb4736791.tar.gz postgresql-ab648632eb4d3d36c012350f9c5643deb4736791.zip | |
array_in() and array_recv() need to be more paranoid about validating
their OID parameter. It was possible to crash the backend with
select array_in('{123}',0,0); because that would bypass the needed step
of initializing the workspace. These seem to be the only two places
with a problem, though (record_in and record_recv don't have the issue,
and the other array functions aren't depending on user-supplied input).
Back-patch as far as 7.4; 7.3 does not have the bug.
Diffstat (limited to 'src/backend/utils/adt/arrayfuncs.c')
| -rw-r--r-- | src/backend/utils/adt/arrayfuncs.c | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c index b285470f4dc..758faf7cb33 100644 --- a/src/backend/utils/adt/arrayfuncs.c +++ b/src/backend/utils/adt/arrayfuncs.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/utils/adt/arrayfuncs.c,v 1.115.4.1 2005/03/24 21:50:51 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/utils/adt/arrayfuncs.c,v 1.115.4.2 2005/08/15 19:40:43 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -160,7 +160,7 @@ array_in(PG_FUNCTION_ARGS) fcinfo->flinfo->fn_extra = MemoryContextAlloc(fcinfo->flinfo->fn_mcxt, sizeof(ArrayMetaState)); my_extra = (ArrayMetaState *) fcinfo->flinfo->fn_extra; - my_extra->element_type = InvalidOid; + my_extra->element_type = ~element_type; } if (my_extra->element_type != element_type) @@ -1175,15 +1175,6 @@ array_recv(PG_FUNCTION_ARGS) } nitems = ArrayGetNItems(ndim, dim); - if (nitems == 0) - { - /* Return empty array */ - retval = (ArrayType *) palloc0(sizeof(ArrayType)); - retval->size = sizeof(ArrayType); - retval->elemtype = element_type; - PG_RETURN_ARRAYTYPE_P(retval); - } - /* * We arrange to look up info about element type, including its * receive conversion proc, only once per series of calls, assuming @@ -1195,7 +1186,7 @@ array_recv(PG_FUNCTION_ARGS) fcinfo->flinfo->fn_extra = MemoryContextAlloc(fcinfo->flinfo->fn_mcxt, sizeof(ArrayMetaState)); my_extra = (ArrayMetaState *) fcinfo->flinfo->fn_extra; - my_extra->element_type = InvalidOid; + my_extra->element_type = ~element_type; } if (my_extra->element_type != element_type) @@ -1214,6 +1205,16 @@ array_recv(PG_FUNCTION_ARGS) fcinfo->flinfo->fn_mcxt); my_extra->element_type = element_type; } + + if (nitems == 0) + { + /* Return empty array ... but not till we've validated element_type */ + retval = (ArrayType *) palloc0(sizeof(ArrayType)); + retval->size = sizeof(ArrayType); + retval->elemtype = element_type; + PG_RETURN_ARRAYTYPE_P(retval); + } + typlen = my_extra->typlen; typbyval = my_extra->typbyval; typalign = my_extra->typalign; |