summaryrefslogtreecommitdiff
path: root/contrib/hstore/hstore_op.c
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/hstore/hstore_op.c')
-rw-r--r--contrib/hstore/hstore_op.c15
1 files changed, 15 insertions, 0 deletions
diff --git a/contrib/hstore/hstore_op.c b/contrib/hstore/hstore_op.c
index 45edb048ceb..8ba7a05a659 100644
--- a/contrib/hstore/hstore_op.c
+++ b/contrib/hstore/hstore_op.c
@@ -8,6 +8,7 @@
#include "catalog/pg_type.h"
#include "funcapi.h"
#include "utils/builtins.h"
+#include "utils/memutils.h"
#include "hstore.h"
@@ -90,6 +91,19 @@ hstoreArrayToPairs(ArrayType *a, int *npairs)
return NULL;
}
+ /*
+ * A text array uses at least eight bytes per element, so any overflow in
+ * "key_count * sizeof(Pairs)" is small enough for palloc() to catch.
+ * However, credible improvements to the array format could invalidate
+ * that assumption. Therefore, use an explicit check rather than relying
+ * on palloc() to complain.
+ */
+ if (key_count > MaxAllocSize / sizeof(Pairs))
+ ereport(ERROR,
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+ errmsg("number of pairs (%d) exceeds the maximum allowed (%d)",
+ key_count, (int) (MaxAllocSize / sizeof(Pairs)))));
+
key_pairs = palloc(sizeof(Pairs) * key_count);
for (i = 0, j = 0; i < key_count; i++)
@@ -648,6 +662,7 @@ hstore_slice_to_hstore(PG_FUNCTION_ARGS)
PG_RETURN_POINTER(out);
}
+ /* hstoreArrayToPairs() checked overflow */
out_pairs = palloc(sizeof(Pairs) * nkeys);
bufsiz = 0;
generated by cgit v1.2.3 (git 2.46.0) at 2025-09-05 06:33:46 +0000