Vince Vielhaber <vev@michvhf.com> writes:
> Here's yet another. He claims malicious code can be run on the server
> with this one.
regression=# select repeat('xxx',1431655765);
server closed the connection unexpectedly
This is probably caused by integer overflow in calculating the size of
the repeat's result buffer. It'd take some considerable doing to create
an arbitrary-code exploit, but perhaps could be done. Anyone want to
investigate a patch? I think we likely need something like
bufsize = input_length * repeats;
+ /* check for overflow in multiplication */
+ if (bufsize / repeats != input_length)
+ elog(ERROR, "repeat result too long");
but I haven't thought it through in detail.
regards, tom lane