Predict integer overflow to avoid buffer overruns.

Several functions, mostly type input functions, calculated an allocation size such that the calculation wrapped to a small positive value when arguments implied a sufficiently-large requirement. Writes past the end of the inadvertent small allocation followed shortly thereafter. Coverity identified the path_in() vulnerability; code inspection led to the rest. In passing, add check_stack_depth() to prevent stack overflow in related functions. Back-patch to 8.4 (all supported versions). The non-comment hstore changes touch code that did not exist in 8.4, so that part stops at 9.0. Noah Misch and Heikki Linnakangas, reviewed by Tom Lane. Security: CVE-2014-0064
2025-08-21 10:42:50 +03:00 · 2014-02-17 09:33:31 -05:00
parent 4318daecc9
commit 31400a6733
15 changed files with 177 additions and 19 deletions
--- a/src/include/tsearch/ts_type.h
+++ b/src/include/tsearch/ts_type.h
@@ -13,6 +13,7 @@
 #define _PG_TSTYPE_H_

 #include "fmgr.h"
+#include "utils/memutils.h"
 #include "utils/pg_crc.h"


@@ -244,6 +245,8 @@ typedef TSQueryData *TSQuery;
 * QueryItems, and lenofoperand is the total length of all operands
 */
 #define COMPUTESIZE(size, lenofoperand) ( HDRSIZETQ + (size) * sizeof(QueryItem) + (lenofoperand) )
+#define TSQUERY_TOO_BIG(size, lenofoperand) \
+	((size) > (MaxAllocSize - HDRSIZETQ - (lenofoperand)) / sizeof(QueryItem))

 /* Returns a pointer to the first QueryItem in a TSQuery */
 #define GETQUERY(x)  ((QueryItem*)( (char*)(x)+HDRSIZETQ ))