OK, updated patch attached.
---------------------------------------------------------------------------
Neil Conway wrote:
> momjian@postgresql.org (Bruce Momjian - CVS) writes:
> > Modified files:
> > src/backend/utils/adt: oracle_compat.c
> >
> > Log message:
> > repeat() fix:
> >
> > > Neil Conway <neilc@samurai.com> writes:
> > > > + /* Check for integer overflow */
> > > > + if (tlen / slen != count)
> > > > + elog(ERROR, "Requested buffer is too large.");
> > >
> > > What about slen == 0?
> >
> > Good point -- that wouldn't cause incorrect results or a security
> > problem, but it would reject input that we should really accept.
> >
> > Revised patch is attached.
>
> This is the wrong version of the patch -- please apply the updated
> patch I sent to -hackers (which is the same one I sent to you via
> private mal).
>
> Also, this should be applied to REL7_2_STABLE as well, IMHO.
>
> Cheers,
>
> Neil
>
> --
> Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Index: src/backend/utils/adt/oracle_compat.c
===================================================================
RCS file: /var/lib/cvs/pgsql-server/src/backend/utils/adt/oracle_compat.c,v
retrieving revision 1.37
diff -c -r1.37 oracle_compat.c
*** src/backend/utils/adt/oracle_compat.c 8 Jan 2002 17:03:41 -0000 1.37
--- src/backend/utils/adt/oracle_compat.c 21 Aug 2002 21:03:59 -0000
***************
*** 997,1002 ****
--- 997,1012 ----
slen = (VARSIZE(string) - VARHDRSZ);
tlen = (VARHDRSZ + (count * slen));
+ /* Check for integer overflow */
+ if (slen != 0 && count != 0)
+ {
+ int check = count * slen;
+ int check2 = check + VARHDRSZ;
+
+ if ((check / slen) != count || check2 <= check)
+ elog(ERROR, "Requested buffer is too large.");
+ }
+
result = (text *) palloc(tlen);
VARATT_SIZEP(result) = tlen;