database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-09-09 13:09:39 +03:00
Code Activity

Detect integer overflow while computing new array dimensions.

Browse Source 
array_set_element() and related functions allow an array to be
enlarged by assigning to subscripts outside the current array bounds.
While these places were careful to check that the new bounds are
allowable, they neglected to consider the risk of integer overflow
in computing the new bounds.  In edge cases, we could compute new
bounds that are invalid but get past the subsequent checks,
allowing bad things to happen.  Memory stomps that are potentially
exploitable for arbitrary code execution are possible, and so is
disclosure of server memory.

To fix, perform the hazardous computations using overflow-detecting
arithmetic routines, which fortunately exist in all still-supported
branches.

The test cases added for this generate (after patching) errors that
mention the value of MaxArraySize, which is platform-dependent.
Rather than introduce multiple expected-files, use psql's VERBOSITY
parameter to suppress the printing of the message text.  v11 psql
lacks that parameter, so omit the tests in that branch.

Our thanks to Pedro Gallegos for reporting this problem.

Security: CVE-2023-5869
This commit is contained in:
Tom Lane
2023-11-06 10:56:43 -05:00
parent 3b0776fde5
commit 18b585155a
5 changed files with 110 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/test/regress/sql/arrays.sql
View File

@@ -438,6 +438,25 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk)
reset enable_seqscan;
reset enable_bitmapscan;
-- test subscript overflow detection
-- The normal error message includes a platform-dependent limit,
-- so suppress it to avoid needing multiple expected-files.
\set VERBOSITY sqlstate
insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}');
update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
-- also exercise the expanded-array case
do $$ declare a int[];
begin
a := '[-2147483648:-2147483647]={1,2}'::int[];
a[2147483647] := 42;
end $$;
\set VERBOSITY default
-- test [not] (like|ilike) (any|all) (...)
select 'foo' like any (array['%a', '%o']); -- t
select 'foo' like any (array['%a', '%b']); -- f