From 7a362a176a5c6621b58fb3897b2a4cb15b975810 Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Mon, 17 Feb 2014 09:33:31 -0500 Subject: Predict integer overflow to avoid buffer overruns. Several functions, mostly type input functions, calculated an allocation size such that the calculation wrapped to a small positive value when arguments implied a sufficiently-large requirement. Writes past the end of the inadvertent small allocation followed shortly thereafter. Coverity identified the path_in() vulnerability; code inspection led to the rest. In passing, add check_stack_depth() to prevent stack overflow in related functions. Back-patch to 8.4 (all supported versions). The non-comment hstore changes touch code that did not exist in 8.4, so that part stops at 9.0. Noah Misch and Heikki Linnakangas, reviewed by Tom Lane. Security: CVE-2014-0064 --- contrib/intarray/_int.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'contrib/intarray/_int.h') diff --git a/contrib/intarray/_int.h b/contrib/intarray/_int.h index 56aa23cfde0..7f93206e890 100644 --- a/contrib/intarray/_int.h +++ b/contrib/intarray/_int.h @@ -5,6 +5,7 @@ #define ___INT_H__ #include "utils/array.h" +#include "utils/memutils.h" /* number ranges for compression */ #define MAXNUMRANGE 100 @@ -137,6 +138,7 @@ typedef struct QUERYTYPE #define HDRSIZEQT offsetof(QUERYTYPE, items) #define COMPUTESIZE(size) ( HDRSIZEQT + (size) * sizeof(ITEM) ) +#define QUERYTYPEMAXITEMS ((MaxAllocSize - HDRSIZEQT) / sizeof(ITEM)) #define GETQUERY(x) ( (x)->items ) /* "type" codes for ITEM */ -- cgit v1.2.3