From 16d58b5b534fa783e2259b407c237fc166ebf7e4 Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Mon, 5 Oct 2015 10:06:29 -0400 Subject: Prevent stack overflow in json-related functions. Sufficiently-deep recursion heretofore elicited a SIGSEGV. If an application constructs PostgreSQL json or jsonb values from arbitrary user input, application users could have exploited this to terminate all active database connections. That applies to 9.3, where the json parser adopted recursive descent, and later versions. Only row_to_json() and array_to_json() were at risk in 9.2, both in a non-security capacity. Back-patch to 9.2, where the json type was introduced. Oskari Saarenmaa, reviewed by Michael Paquier. Security: CVE-2015-5289 --- src/test/regress/sql/json.sql | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/test/regress/sql/json.sql') diff --git a/src/test/regress/sql/json.sql b/src/test/regress/sql/json.sql index ab2dd2ed0d5..ad8f7fe0cc9 100644 --- a/src/test/regress/sql/json.sql +++ b/src/test/regress/sql/json.sql @@ -45,6 +45,12 @@ SELECT '{"abc":1,"def":2,"ghi":[3,4],"hij":{"klm":5,"nop":[6]}}'::json; -- OK SELECT '{"abc":1:2}'::json; -- ERROR, colon in wrong spot SELECT '{"abc":1,3}'::json; -- ERROR, no value +-- Recursion. +SET max_stack_depth = '100kB'; +SELECT repeat('[', 1000)::json; +SELECT repeat('{"a":', 1000)::json; +RESET max_stack_depth; + -- Miscellaneous stuff. SELECT 'true'::json; -- OK SELECT 'false'::json; -- OK -- cgit v1.2.3