pgsql: Guard against unexpected dimensions of oidvector/int2vector. - Mailing list pgsql-committers

From Tom Lane
Subject pgsql: Guard against unexpected dimensions of oidvector/int2vector.
Date
Msg-id E1vpSyf-0026BI-0v@gemulon.postgresql.org
Whole thread Raw
List pgsql-committers
Guard against unexpected dimensions of oidvector/int2vector.

These data types are represented like full-fledged arrays, but
functions that deal specifically with these types assume that the
array is 1-dimensional and contains no nulls.  However, there are
cast pathways that allow general oid[] or int2[] arrays to be cast
to these types, allowing these expectations to be violated.  This
can be exploited to cause server memory disclosure or SIGSEGV.
Fix by installing explicit checks in functions that accept these
types.

Reported-by: Altan Birler <altan.birler@tum.de>
Author: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Noah Misch <noah@leadboat.com>
Security: CVE-2026-2003
Backpatch-through: 14

Branch
------
REL_18_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/3b6588cd902faa967f61f539f057f9b7643cf6a5

Modified Files
--------------
src/backend/access/hash/hashfunc.c     |  3 +++
src/backend/access/nbtree/nbtcompare.c |  4 ++++
src/backend/utils/adt/format_type.c    |  6 +++++-
src/backend/utils/adt/int.c            | 31 ++++++++++++++++++++++++++++++-
src/backend/utils/adt/oid.c            | 31 ++++++++++++++++++++++++++++++-
src/include/utils/builtins.h           |  1 +
src/test/regress/expected/arrays.out   |  5 +++++
src/test/regress/sql/arrays.sql        |  4 ++++
8 files changed, 82 insertions(+), 3 deletions(-)


pgsql-committers by date:

Previous
From: Noah Misch
Date:
Subject: pgsql: Require PGP-decrypted text to pass encoding validation.
Next
From: Tom Lane
Date:
Subject: pgsql: Guard against unexpected dimensions of oidvector/int2vector.