Thread: pgsql-server/src/backend/utils/adt oracle_compat.c
pgsql-server/src/backend/utils/adt oracle_compat.c
From
momjian@postgresql.org (Bruce Momjian - CVS)
Date:
CVSROOT: /cvsroot Module name: pgsql-server Changes by: momjian@postgresql.org 02/08/22 00:54:20 Modified files: src/backend/utils/adt: oracle_compat.c Log message: repeat() fix: > Neil Conway <neilc@samurai.com> writes: > > + /* Check for integer overflow */ > > + if (tlen / slen != count) > > + elog(ERROR, "Requested buffer is too large."); > > What about slen == 0? Good point -- that wouldn't cause incorrect results or a security problem, but it would reject input that we should really accept. Revised patch is attached. Neil Conway
momjian@postgresql.org (Bruce Momjian - CVS) writes: > Modified files: > src/backend/utils/adt: oracle_compat.c > > Log message: > repeat() fix: > > > Neil Conway <neilc@samurai.com> writes: > > > + /* Check for integer overflow */ > > > + if (tlen / slen != count) > > > + elog(ERROR, "Requested buffer is too large."); > > > > What about slen == 0? > > Good point -- that wouldn't cause incorrect results or a security > problem, but it would reject input that we should really accept. > > Revised patch is attached. This is the wrong version of the patch -- please apply the updated patch I sent to -hackers (which is the same one I sent to you via private mal). Also, this should be applied to REL7_2_STABLE as well, IMHO. Cheers, Neil -- Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
OK, updated patch attached. --------------------------------------------------------------------------- Neil Conway wrote: > momjian@postgresql.org (Bruce Momjian - CVS) writes: > > Modified files: > > src/backend/utils/adt: oracle_compat.c > > > > Log message: > > repeat() fix: > > > > > Neil Conway <neilc@samurai.com> writes: > > > > + /* Check for integer overflow */ > > > > + if (tlen / slen != count) > > > > + elog(ERROR, "Requested buffer is too large."); > > > > > > What about slen == 0? > > > > Good point -- that wouldn't cause incorrect results or a security > > problem, but it would reject input that we should really accept. > > > > Revised patch is attached. > > This is the wrong version of the patch -- please apply the updated > patch I sent to -hackers (which is the same one I sent to you via > private mal). > > Also, this should be applied to REL7_2_STABLE as well, IMHO. > > Cheers, > > Neil > > -- > Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 Index: src/backend/utils/adt/oracle_compat.c =================================================================== RCS file: /var/lib/cvs/pgsql-server/src/backend/utils/adt/oracle_compat.c,v retrieving revision 1.37 diff -c -r1.37 oracle_compat.c *** src/backend/utils/adt/oracle_compat.c 8 Jan 2002 17:03:41 -0000 1.37 --- src/backend/utils/adt/oracle_compat.c 21 Aug 2002 21:03:59 -0000 *************** *** 997,1002 **** --- 997,1012 ---- slen = (VARSIZE(string) - VARHDRSZ); tlen = (VARHDRSZ + (count * slen)); + /* Check for integer overflow */ + if (slen != 0 && count != 0) + { + int check = count * slen; + int check2 = check + VARHDRSZ; + + if ((check / slen) != count || check2 <= check) + elog(ERROR, "Requested buffer is too large."); + } + result = (text *) palloc(tlen); VARATT_SIZEP(result) = tlen;