Predict integer overflow to avoid buffer overruns.

Several functions, mostly type input functions, calculated an allocation size such that the calculation wrapped to a small positive value when arguments implied a sufficiently-large requirement. Writes past the end of the inadvertent small allocation followed shortly thereafter. Coverity identified the path_in() vulnerability; code inspection led to the rest. In passing, add check_stack_depth() to prevent stack overflow in related functions. Back-patch to 8.4 (all supported versions). The non-comment hstore changes touch code that did not exist in 8.4, so that part stops at 9.0. Noah Misch and Heikki Linnakangas, reviewed by Tom Lane. Security: CVE-2014-0064
2025-06-14 18:42:34 +03:00 · 2014-02-17 09:33:31 -05:00
parent 6a10e57b0f
commit 0b7026d964
15 changed files with 169 additions and 19 deletions
--- a/contrib/intarray/_int.h
+++ b/contrib/intarray/_int.h
@ -5,6 +5,7 @@
 #define ___INT_H__

 #include "utils/array.h"
+#include "utils/memutils.h"

 /* number ranges for compression */
 #define MAXNUMRANGE 100
@ -137,6 +138,7 @@ typedef struct QUERYTYPE

 #define HDRSIZEQT	offsetof(QUERYTYPE, items)
 #define COMPUTESIZE(size)	( HDRSIZEQT + (size) * sizeof(ITEM) )
+#define QUERYTYPEMAXITEMS	((MaxAllocSize - HDRSIZEQT) / sizeof(ITEM))
 #define GETQUERY(x)  ( (x)->items )

 /* "type" codes for ITEM */