database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-08-19 23:22:23 +03:00
Code Activity

Predict integer overflow to avoid buffer overruns.

Browse Source 
Several functions, mostly type input functions, calculated an allocation
size such that the calculation wrapped to a small positive value when
arguments implied a sufficiently-large requirement.  Writes past the end
of the inadvertent small allocation followed shortly thereafter.
Coverity identified the path_in() vulnerability; code inspection led to
the rest.  In passing, add check_stack_depth() to prevent stack overflow
in related functions.

Back-patch to 8.4 (all supported versions).  The non-comment hstore
changes touch code that did not exist in 8.4, so that part stops at 9.0.

Noah Misch and Heikki Linnakangas, reviewed by Tom Lane.

Security: CVE-2014-0064
This commit is contained in:
Noah Misch
2014-02-17 09:33:31 -05:00
parent 4318daecc9
commit 31400a6733
15 changed files with 177 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/backend/utils/adt/geo_ops.c
View File

@@ -1366,6 +1366,7 @@ path_in(PG_FUNCTION_ARGS)
char *s;
int npts;
int size;
int base_size;
int depth = 0;
if ((npts = pair_count(str, ',')) <= 0)
@@ -1384,7 +1385,15 @@ path_in(PG_FUNCTION_ARGS)
depth++;
}
size = offsetof(PATH, p[0]) +sizeof(path->p[0]) * npts;
base_size = sizeof(path->p[0]) * npts;
size = offsetof(PATH, p[0]) + base_size;
/* Check for integer overflow */
if (base_size / npts != sizeof(path->p[0]) || size <= base_size)
ereport(ERROR,
(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
errmsg("too many points requested")));
path = (PATH *) palloc(size);
SET_VARSIZE(path, size);
@@ -3429,6 +3438,7 @@ poly_in(PG_FUNCTION_ARGS)
POLYGON *poly;
int npts;
int size;
int base_size;
int isopen;
char *s;
@@ -3437,7 +3447,15 @@ poly_in(PG_FUNCTION_ARGS)
(errcode(ERRCODE_INVALID_TEXT_REPRESENTATION),
errmsg("invalid input syntax for type polygon: \"%s\"", str)));
size = offsetof(POLYGON, p[0]) +sizeof(poly->p[0]) * npts;
base_size = sizeof(poly->p[0]) * npts;
size = offsetof(POLYGON, p[0]) + base_size;
/* Check for integer overflow */
if (base_size / npts != sizeof(poly->p[0]) || size <= base_size)
ereport(ERROR,
(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
errmsg("too many points requested")));
poly = (POLYGON *) palloc0(size); /* zero any holes */
SET_VARSIZE(poly, size);
@@ -4343,6 +4361,10 @@ path_poly(PG_FUNCTION_ARGS)
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("open path cannot be converted to polygon")));
/*
* Never overflows: the old size fit in MaxAllocSize, and the new size is
* just a small constant larger.
*/
size = offsetof(POLYGON, p[0]) +sizeof(poly->p[0]) * path->npts;
poly = (POLYGON *) palloc(size);
@@ -4448,6 +4470,10 @@ poly_path(PG_FUNCTION_ARGS)
int size;
int i;
/*
* Never overflows: the old size fit in MaxAllocSize, and the new size is
* smaller by a small constant.
*/
size = offsetof(PATH, p[0]) +sizeof(path->p[0]) * poly->npts;
path = (PATH *) palloc(size);