Predict integer overflow to avoid buffer overruns.

Several functions, mostly type input functions, calculated an allocation size such that the calculation wrapped to a small positive value when arguments implied a sufficiently-large requirement. Writes past the end of the inadvertent small allocation followed shortly thereafter. Coverity identified the path_in() vulnerability; code inspection led to the rest. In passing, add check_stack_depth() to prevent stack overflow in related functions. Back-patch to 8.4 (all supported versions). The non-comment hstore changes touch code that did not exist in 8.4, so that part stops at 9.0. Noah Misch and Heikki Linnakangas, reviewed by Tom Lane. Security: CVE-2014-0064
author: Noah Misch <noah@leadboat.com> 2014-02-17 09:33:31 -0500
committer: Noah Misch <noah@leadboat.com> 2014-02-17 09:33:39 -0500
commit: 98be8a6eaa9fe917f6be9e121187b912e19ab484 (patch)
tree: 1f0e51b7f00461208ee1bbf9103629b6b38885ca /src/backend/utils/adt/tsquery_util.c
parent: d0ed1a6c044452a529c1d544647ea1fcb90dcb81 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/src/backend/utils/adt/tsquery_util.c b/src/backend/utils/adt/tsquery_util.c
index d4a2ede1f62..dfe5779daf5 100644
--- a/src/backend/utils/adt/tsquery_util.c
+++ b/src/backend/utils/adt/tsquery_util.c
@@ -334,6 +334,11 @@ QTN2QT(QTNode *in)
 	QTN2QTState state;
 
 	cntsize(in, &sumlen, &nnode);
+
+	if (TSQUERY_TOO_BIG(nnode, sumlen))
+		ereport(ERROR,
+				(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+				 errmsg("tsquery is too large")));
 	len = COMPUTESIZE(nnode, sumlen);
 
 	out = (TSQuery) palloc0(len);
author	Noah Misch <noah@leadboat.com>	2014-02-17 09:33:31 -0500
committer	Noah Misch <noah@leadboat.com>	2014-02-17 09:33:39 -0500
commit	98be8a6eaa9fe917f6be9e121187b912e19ab484 (patch)
tree	1f0e51b7f00461208ee1bbf9103629b6b38885ca /src/backend/utils/adt/tsquery_util.c
parent	d0ed1a6c044452a529c1d544647ea1fcb90dcb81 (diff)