libpq: Prevent some overflows of int/size_t

Several functions could overflow their size calculations, when presented with very large inputs from remote and/or untrusted locations, and then allocate buffers that were too small to hold the intended contents. Switch from int to size_t where appropriate, and check for overflow conditions when the inputs could have plausibly originated outside of the libpq trust boundary. (Overflows from within the trust boundary are still possible, but these will be fixed separately.) A version of add_size() is ported from the backend to assist with code that performs more complicated concatenation. Reported-by: Aleksey Solovev (Positive Technologies) Reviewed-by: Noah Misch <noah@leadboat.com> Reviewed-by: Álvaro Herrera <alvherre@kurilemu.de> Security: CVE-2025-12818 Backpatch-through: 13
2025-11-15 03:41:20 +03:00 · 2025-11-10 06:02:34 -08:00
parent 3e0ae46d90
commit 600086f471
5 changed files with 224 additions and 33 deletions
--- a/src/interfaces/libpq/fe-print.c
+++ b/src/interfaces/libpq/fe-print.c
@@ -104,6 +104,16 @@ PQprint(FILE *fout, const PGresult *res, const PQprintOpt *po)
 		}			screen_size;
 #endif

+		/*
+		 * Quick sanity check on po->fieldSep, since we make heavy use of int
+		 * math throughout.
+		 */
+		if (fs_len < strlen(po->fieldSep))
+		{
+			fprintf(stderr, libpq_gettext("overlong field separator\n"));
+			goto exit;
+		}
+
 		nTups = PQntuples(res);
 		fieldNames = (const char **) calloc(nFields, sizeof(char *));
 		fieldNotNum = (unsigned char *) calloc(nFields, 1);
@@ -391,7 +401,7 @@ do_field(const PQprintOpt *po, const PGresult *res,
 		{
 			if (plen > fieldMax[j])
 				fieldMax[j] = plen;
-			if (!(fields[i * nFields + j] = (char *) malloc(plen + 1)))
+			if (!(fields[i * nFields + j] = (char *) malloc((size_t) plen + 1)))
 			{
 				fprintf(stderr, libpq_gettext("out of memory\n"));
 				return false;
@@ -441,6 +451,27 @@ do_field(const PQprintOpt *po, const PGresult *res,
 }


+/*
+ * Frontend version of the backend's add_size(), intended to be API-compatible
+ * with the pg_add_*_overflow() helpers. Stores the result into *dst on success.
+ * Returns true instead if the addition overflows.
+ *
+ * TODO: move to common/int.h
+ */
+static bool
+add_size_overflow(size_t s1, size_t s2, size_t *dst)
+{
+	size_t		result;
+
+	result = s1 + s2;
+	if (result < s1 || result < s2)
+		return true;
+
+	*dst = result;
+	return false;
+}
+
+
 static char *
 do_header(FILE *fout, const PQprintOpt *po, const int nFields, int *fieldMax,
 		  const char **fieldNames, unsigned char *fieldNotNum,
@@ -453,15 +484,31 @@ do_header(FILE *fout, const PQprintOpt *po, const int nFields, int *fieldMax,
 		fputs("<tr>", fout);
 	else
 	{
-		int			tot = 0;
+		size_t		tot = 0;
 		int			n = 0;
 		char	   *p = NULL;

+		/* Calculate the border size, checking for overflow. */
 		for (; n < nFields; n++)
-			tot += fieldMax[n] + fs_len + (po->standard ? 2 : 0);
+		{
+			/* Field plus separator, plus 2 extra '-' in standard format. */
+			if (add_size_overflow(tot, fieldMax[n], &tot) ||
+				add_size_overflow(tot, fs_len, &tot) ||
+				(po->standard && add_size_overflow(tot, 2, &tot)))
+				goto overflow;
+		}
 		if (po->standard)
-			tot += fs_len * 2 + 2;
-		border = malloc(tot + 1);
+		{
+			/* An extra separator at the front and back. */
+			if (add_size_overflow(tot, fs_len, &tot) ||
+				add_size_overflow(tot, fs_len, &tot) ||
+				add_size_overflow(tot, 2, &tot))
+				goto overflow;
+		}
+		if (add_size_overflow(tot, 1, &tot))	/* terminator */
+			goto overflow;
+
+		border = malloc(tot);
 		if (!border)
 		{
 			fprintf(stderr, libpq_gettext("out of memory\n"));
@@ -524,6 +571,10 @@ do_header(FILE *fout, const PQprintOpt *po, const int nFields, int *fieldMax,
 	else
 		fprintf(fout, "\n%s\n", border);
 	return border;
+
+overflow:
+	fprintf(stderr, libpq_gettext("header size exceeds the maximum allowed\n"));
+	return NULL;
 }