database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-29 10:41:53 +03:00
Code Activity

Prevent stack overflow in json-related functions.

Browse Source 
Sufficiently-deep recursion heretofore elicited a SIGSEGV.  If an
application constructs PostgreSQL json or jsonb values from arbitrary
user input, application users could have exploited this to terminate all
active database connections.  That applies to 9.3, where the json parser
adopted recursive descent, and later versions.  Only row_to_json() and
array_to_json() were at risk in 9.2, both in a non-security capacity.
Back-patch to 9.2, where the json type was introduced.

Oskari Saarenmaa, reviewed by Michael Paquier.

Security: CVE-2015-5289
This commit is contained in:
Noah Misch
2015-10-05 10:06:29 -04:00
parent 56232f9879
commit 8dacb29ca7
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/backend/utils/adt/json.c
View File

@ -18,6 +18,7 @@
#include "lib/stringinfo.h" #include "lib/stringinfo.h"
#include "libpq/pqformat.h" #include "libpq/pqformat.h"
#include "mb/pg_wchar.h" #include "mb/pg_wchar.h"
#include "miscadmin.h"
#include "parser/parse_coerce.h" #include "parser/parse_coerce.h"
#include "utils/array.h" #include "utils/array.h"
#include "utils/builtins.h" #include "utils/builtins.h"
@ -895,6 +896,8 @@ datum_to_json(Datum val, bool is_null, StringInfo result,
bool numeric_error; bool numeric_error;
JsonLexContext dummy_lex; JsonLexContext dummy_lex;
check_stack_depth();
if (is_null) if (is_null)
{ {
appendStringInfoString(result, "null"); appendStringInfoString(result, "null");