diff options
author | Noah Misch <noah@leadboat.com> | 2014-02-17 09:33:31 -0500 |
---|---|---|
committer | Noah Misch <noah@leadboat.com> | 2014-02-17 09:33:33 -0500 |
commit | 12bbce15d93d7692ddff1405aa04b67f8a327f57 (patch) | |
tree | 296fbe9beb2b98b68d66a52979b335af7be529bd /src/backend/utils/adt/tsquery.c | |
parent | f416622be81d1320417bbc7892fd562cae0dba72 (diff) | |
download | postgresql-12bbce15d93d7692ddff1405aa04b67f8a327f57.tar.gz postgresql-12bbce15d93d7692ddff1405aa04b67f8a327f57.zip |
Predict integer overflow to avoid buffer overruns.
Several functions, mostly type input functions, calculated an allocation
size such that the calculation wrapped to a small positive value when
arguments implied a sufficiently-large requirement. Writes past the end
of the inadvertent small allocation followed shortly thereafter.
Coverity identified the path_in() vulnerability; code inspection led to
the rest. In passing, add check_stack_depth() to prevent stack overflow
in related functions.
Back-patch to 8.4 (all supported versions). The non-comment hstore
changes touch code that did not exist in 8.4, so that part stops at 9.0.
Noah Misch and Heikki Linnakangas, reviewed by Tom Lane.
Security: CVE-2014-0064
Diffstat (limited to 'src/backend/utils/adt/tsquery.c')
-rw-r--r-- | src/backend/utils/adt/tsquery.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/backend/utils/adt/tsquery.c b/src/backend/utils/adt/tsquery.c index 6e1f8cfdb0d..1322b5ea025 100644 --- a/src/backend/utils/adt/tsquery.c +++ b/src/backend/utils/adt/tsquery.c @@ -515,8 +515,13 @@ parse_tsquery(char *buf, return query; } - /* Pack the QueryItems in the final TSQuery struct to return to caller */ + if (TSQUERY_TOO_BIG(list_length(state.polstr), state.sumlen)) + ereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("tsquery is too large"))); commonlen = COMPUTESIZE(list_length(state.polstr), state.sumlen); + + /* Pack the QueryItems in the final TSQuery struct to return to caller */ query = (TSQuery) palloc0(commonlen); SET_VARSIZE(query, commonlen); query->size = list_length(state.polstr); |