diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2023-11-06 10:56:43 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2023-11-06 10:56:43 -0500 |
| commit | d267cea24ea346c739c85bf7bccbd8e8f59da6b3 (patch) | |
| tree | 2a30ff6d35784bcbd331f624c72198516bcd56bc /src/backend/utils/adt/arrayutils.c | |
| parent | e911afd092c179563bef39839118acb6702066f4 (diff) | |
| download | postgresql-d267cea24ea346c739c85bf7bccbd8e8f59da6b3.tar.gz postgresql-d267cea24ea346c739c85bf7bccbd8e8f59da6b3.zip | |
Detect integer overflow while computing new array dimensions.
array_set_element() and related functions allow an array to be
enlarged by assigning to subscripts outside the current array bounds.
While these places were careful to check that the new bounds are
allowable, they neglected to consider the risk of integer overflow
in computing the new bounds. In edge cases, we could compute new
bounds that are invalid but get past the subsequent checks,
allowing bad things to happen. Memory stomps that are potentially
exploitable for arbitrary code execution are possible, and so is
disclosure of server memory.
To fix, perform the hazardous computations using overflow-detecting
arithmetic routines, which fortunately exist in all still-supported
branches.
The test cases added for this generate (after patching) errors that
mention the value of MaxArraySize, which is platform-dependent.
Rather than introduce multiple expected-files, use psql's VERBOSITY
parameter to suppress the printing of the message text. v11 psql
lacks that parameter, so omit the tests in that branch.
Our thanks to Pedro Gallegos for reporting this problem.
Security: CVE-2023-5869
Diffstat (limited to 'src/backend/utils/adt/arrayutils.c')
| -rw-r--r-- | src/backend/utils/adt/arrayutils.c | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/src/backend/utils/adt/arrayutils.c b/src/backend/utils/adt/arrayutils.c index 34b337aac4f..d381536ead7 100644 --- a/src/backend/utils/adt/arrayutils.c +++ b/src/backend/utils/adt/arrayutils.c @@ -64,10 +64,6 @@ ArrayGetOffset0(int n, const int *tup, const int *scale) * This must do overflow checking, since it is used to validate that a user * dimensionality request doesn't overflow what we can handle. * - * We limit array sizes to at most about a quarter billion elements, - * so that it's not necessary to check for overflow in quite so many - * places --- for instance when palloc'ing Datum arrays. - * * The multiplication overflow check only works on machines that have int64 * arithmetic, but that is nearly all platforms these days, and doing check * divides for those that don't seems way too expensive. @@ -78,8 +74,6 @@ ArrayGetNItems(int ndim, const int *dims) int32 ret; int i; -#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum))) - if (ndim <= 0) return 0; ret = 1; |