Predict integer overflow to avoid buffer overruns.
Several functions, mostly type input functions, calculated an allocation
size such that the calculation wrapped to a small positive value when
arguments implied a sufficiently-large requirement. Writes past the end
of the inadvertent small allocation followed shortly thereafter.
Coverity identified the path_in() vulnerability; code inspection led to
the rest. In passing, add check_stack_depth() to prevent stack overflow
in related functions.
Back-patch to 8.4 (all supported versions). The non-comment hstore
changes touch code that did not exist in 8.4, so that part stops at 9.0.
Noah Misch and Heikki Linnakangas, reviewed by Tom Lane.
Security: CVE-2014-0064
Branch
------
REL8_4_STABLE
Details
-------
http://git.postgresql.org/pg/commitdiff/98be8a6eaa9fe917f6be9e121187b912e19ab484
Modified Files
--------------
contrib/intarray/_int.h | 2 ++
contrib/intarray/_int_bool.c | 9 +++++++++
contrib/ltree/ltree.h | 3 +++
contrib/ltree/ltree_io.c | 11 +++++++++++
contrib/ltree/ltxtquery_io.c | 13 ++++++++++++-
src/backend/utils/adt/geo_ops.c | 30 ++++++++++++++++++++++++++++--
src/backend/utils/adt/tsquery.c | 7 ++++++-
src/backend/utils/adt/tsquery_util.c | 5 +++++
src/backend/utils/adt/txid.c | 15 +++++----------
src/backend/utils/adt/varbit.c | 32 ++++++++++++++++++++++++++++++--
src/include/tsearch/ts_type.h | 3 +++
src/include/utils/varbit.h | 7 +++++++
12 files changed, 121 insertions(+), 16 deletions(-)
