database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-05 07:21:24 +03:00
Code Activity

Fix RelationBuildPartitionKey's processing of partition key expressions.

Browse Source 
Failure to advance the list pointer while reading partition expressions
from a list results in invoking an input function with inappropriate data,
possibly leading to crashes or, with carefully crafted input, disclosure
of arbitrary backend memory.

Bug discovered independently by Álvaro Herrera and David Rowley.
This patch is by Álvaro but owes something to David's proposed fix.
Back-patch to v10 where the issue was introduced.

Security: CVE-2018-1052
This commit is contained in:
Tom Lane
2018-02-05 10:37:30 -05:00
parent 05d0f13f07
commit 3492a0af0b
3 changed files with 34 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/backend/utils/cache/relcache.c vendored
View File

@ -983,9 +983,14 @@ RelationBuildPartitionKey(Relation relation)
}
else
{
if (partexprs_item == NULL)
elog(ERROR, "wrong number of partition key expressions");
key->parttypid[i] = exprType(lfirst(partexprs_item));
key->parttypmod[i] = exprTypmod(lfirst(partexprs_item));
key->parttypcoll[i] = exprCollation(lfirst(partexprs_item));
partexprs_item = lnext(partexprs_item);
}
get_typlenbyvalalign(key->parttypid[i],
&key->parttyplen[i],