From 16ebf4f9714a2b8f7f17c537743046a9a59c801b Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 28 Oct 2024 14:33:55 -0400 Subject: [PATCH] Guard against enormously long input in pg_saslprep(). Coverity complained that pg_saslprep() could suffer integer overflow, leading to under-allocation of the output buffer, if the input string exceeds SIZE_MAX/4. This hazard seems largely hypothetical, but it's easy enough to defend against, so let's do so. This patch creates a third place in src/common/ where we are locally defining MaxAllocSize so that we can test against that in the same way in backend and frontend compiles. That seems like about two places too many, so the next patch will move that into common/fe_memutils.h. I'm hesitant to do that in back branches however. Back-patch to v14. The code looks similar in older branches, but before commit 67a472d71 there was a separate test on the input string length that prevented this hazard. Per Coverity report. --- src/common/saslprep.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/common/saslprep.c b/src/common/saslprep.c index 3cf498866a5..e7e909a0c87 100644 --- a/src/common/saslprep.c +++ b/src/common/saslprep.c @@ -21,8 +21,13 @@ */ #ifndef FRONTEND #include "postgres.h" +#include "utils/memutils.h" #else #include "postgres_fe.h" + +/* It's possible we could use a different value for this in frontend code */ +#define MaxAllocSize ((Size) 0x3fffffff) /* 1 gigabyte - 1 */ + #endif #include "common/saslprep.h" @@ -1077,6 +1082,8 @@ pg_saslprep(const char *input, char **output) input_size = pg_utf8_string_len(input); if (input_size < 0) return SASLPREP_INVALID_UTF8; + if (input_size >= MaxAllocSize / sizeof(pg_wchar)) + goto oom; input_chars = ALLOC((input_size + 1) * sizeof(pg_wchar)); if (!input_chars)