diff options
author | Noah Misch <noah@leadboat.com> | 2014-02-17 09:33:31 -0500 |
---|---|---|
committer | Noah Misch <noah@leadboat.com> | 2014-02-17 09:33:31 -0500 |
commit | 31400a673325147e1205326008e32135a78b4d8a (patch) | |
tree | 04e430e8b2debcfa94ec74aa15fb23dcac53298c /src/backend/utils/adt/tsquery_util.c | |
parent | 4318daecc959886d001a6e79c6ea853e8b1dfb4b (diff) | |
download | postgresql-31400a673325147e1205326008e32135a78b4d8a.tar.gz |
Predict integer overflow to avoid buffer overruns.
Several functions, mostly type input functions, calculated an allocation
size such that the calculation wrapped to a small positive value when
arguments implied a sufficiently-large requirement. Writes past the end
of the inadvertent small allocation followed shortly thereafter.
Coverity identified the path_in() vulnerability; code inspection led to
the rest. In passing, add check_stack_depth() to prevent stack overflow
in related functions.
Back-patch to 8.4 (all supported versions). The non-comment hstore
changes touch code that did not exist in 8.4, so that part stops at 9.0.
Noah Misch and Heikki Linnakangas, reviewed by Tom Lane.
Security: CVE-2014-0064
Diffstat (limited to 'src/backend/utils/adt/tsquery_util.c')
-rw-r--r-- | src/backend/utils/adt/tsquery_util.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/backend/utils/adt/tsquery_util.c b/src/backend/utils/adt/tsquery_util.c index 34587980c7..8a41fbc531 100644 --- a/src/backend/utils/adt/tsquery_util.c +++ b/src/backend/utils/adt/tsquery_util.c @@ -333,6 +333,11 @@ QTN2QT(QTNode *in) QTN2QTState state; cntsize(in, &sumlen, &nnode); + + if (TSQUERY_TOO_BIG(nnode, sumlen)) + ereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("tsquery is too large"))); len = COMPUTESIZE(nnode, sumlen); out = (TSQuery) palloc0(len); |