Postgres Pro
Downloads
Home   >   mailing lists

BUG #14931: Unchecked attnum value in ATExecAlterColumnType() - Mailing list pgsql-bugs

From bianpan2016@163.com
Subject BUG #14931: Unchecked attnum value in ATExecAlterColumnType()
Date
Msg-id 20171127095339.1464.29304@wrigleys.postgresql.org
Whole thread Raw
Responses Re: BUG #14931: Unchecked attnum value in ATExecAlterColumnType()  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-bugs
Tree view 
The following bug has been logged on the website:

Bug reference:      14931
Logged by:          Pan Bian
Email address:      bianpan2016@163.com
PostgreSQL version: 10.1
Operating system:   Linux
Description:

File: src/backend/commands/tablecmds.c
Function: ATExecAlterColumnType
Line: 8986

The value of field attTup->attnum may be zero or even negative. However, in
function ATExecAlterColumnType(), its value is incorrectly assumed to be
larger than or equal to 1. In an exceptional case, it may lead to a buffer
overflow bug (see lines 8989 and 8990).

For your convenience, I copy and paste related codes as follows:

 8978     /* Look up the target column */
 8979     heapTup = SearchSysCacheCopyAttName(RelationGetRelid(rel),
colName);
 8980     if (!HeapTupleIsValid(heapTup)) /* shouldn't happen */
 8981         ereport(ERROR,
 8982                 (errcode(ERRCODE_UNDEFINED_COLUMN),
 8983                  errmsg("column \"%s\" of relation \"%s\" does not
exist",
 8984                         colName, RelationGetRelationName(rel))));
 8985     attTup = (Form_pg_attribute) GETSTRUCT(heapTup);
 8986     attnum = attTup->attnum;
 8987 
 8988     /* Check for multiple ALTER TYPE on same column --- can't cope
*/
 8989     if (attTup->atttypid != tab->oldDesc->attrs[attnum - 1]->atttypid
||
 8990         attTup->atttypmod != tab->oldDesc->attrs[attnum -
1]->atttypmod)
 8991         ereport(ERROR,
 8992                 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
 8993                  errmsg("cannot alter type of column \"%s\" twice",
 8994                         colName)));

I also collect a function (i.e. ATExecDropNotNull) in the same file as an
example, shown as follows:

 5616     tuple = SearchSysCacheCopyAttName(RelationGetRelid(rel),
colName);
 5617 
 5618     if (!HeapTupleIsValid(tuple))
 5619         ereport(ERROR,
 5620                 (errcode(ERRCODE_UNDEFINED_COLUMN),
 5621                  errmsg("column \"%s\" of relation \"%s\" does not
exist",
 5622                         colName, RelationGetRelationName(rel))));
 5623 
 5624     attnum = ((Form_pg_attribute) GETSTRUCT(tuple))->attnum;
 5625 
 5626     /* Prevent them from altering a system attribute */
 5627     if (attnum <= 0)
 5628         ereport(ERROR,
 5629                 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
 5630                  errmsg("cannot alter system column \"%s\"",
 5631                         colName)));

Thank you!

Pan Bian

pgsql-bugs by date:

Previous
From: bianpan2016@163.com
Date:
Subject: BUG #14930: Unchecked AllocateDir() return value inSlruScanDirectory()
Next
From: Amit Langote
Date:
Subject: Re: BUG #14927: Unchecked SearchSysCache1() return value