From 7a362a176a5c6621b58fb3897b2a4cb15b975810 Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Mon, 17 Feb 2014 09:33:31 -0500 Subject: Predict integer overflow to avoid buffer overruns. Several functions, mostly type input functions, calculated an allocation size such that the calculation wrapped to a small positive value when arguments implied a sufficiently-large requirement. Writes past the end of the inadvertent small allocation followed shortly thereafter. Coverity identified the path_in() vulnerability; code inspection led to the rest. In passing, add check_stack_depth() to prevent stack overflow in related functions. Back-patch to 8.4 (all supported versions). The non-comment hstore changes touch code that did not exist in 8.4, so that part stops at 9.0. Noah Misch and Heikki Linnakangas, reviewed by Tom Lane. Security: CVE-2014-0064 --- contrib/intarray/_int_bool.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'contrib/intarray/_int_bool.c') diff --git a/contrib/intarray/_int_bool.c b/contrib/intarray/_int_bool.c index d0572afc1e3..b18e997748b 100644 --- a/contrib/intarray/_int_bool.c +++ b/contrib/intarray/_int_bool.c @@ -448,6 +448,9 @@ boolop(PG_FUNCTION_ARGS) static void findoprnd(ITEM *ptr, int32 *pos) { + /* since this function recurses, it could be driven to stack overflow. */ + check_stack_depth(); + #ifdef BS_DEBUG elog(DEBUG3, (ptr[*pos].type == OPR) ? "%d %c" : "%d %d", *pos, ptr[*pos].val); @@ -508,7 +511,13 @@ bqarr_in(PG_FUNCTION_ARGS) (errcode(ERRCODE_INVALID_PARAMETER_VALUE), errmsg("empty query"))); + if (state.num > QUERYTYPEMAXITEMS) + ereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("number of query items (%d) exceeds the maximum allowed (%d)", + state.num, (int) QUERYTYPEMAXITEMS))); commonlen = COMPUTESIZE(state.num); + query = (QUERYTYPE *) palloc(commonlen); SET_VARSIZE(query, commonlen); query->size = state.num; -- cgit v1.2.3