NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit12bbce1

committed

Predict integer overflow to avoid buffer overruns.

Several functions, mostly type input functions, calculated an allocationsize such that the calculation wrapped to a small positive value whenarguments implied a sufficiently-large requirement. Writes past the endof the inadvertent small allocation followed shortly thereafter.Coverity identified the path_in() vulnerability; code inspection led tothe rest. In passing, add check_stack_depth() to prevent stack overflowin related functions.Back-patch to 8.4 (all supported versions). The non-comment hstorechanges touch code that did not exist in 8.4, so that part stops at 9.0.Noah Misch and Heikki Linnakangas, reviewed by Tom Lane.Security:CVE-2014-0064

1 parentf416622 commit12bbce1Copy full SHA for 12bbce1

File tree

15 files changed

+169

-19

lines changed

contrib
- hstore
- intarray
  - _int.h
  - _int_bool.c
- ltree
src
- backend/utils/adt
- include
  - tsearch
    - ts_type.h
  - utils
    - varbit.h

15 files changed

+169

-19

lines changed

`‎contrib/hstore/hstore.h`

Lines changed: 12 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -49,16 +49,25 @@ typedef struct`
`49`	`49`	`}HStore;`
`50`	`50`
`51`	`51`	`/*`
`52`		`- * it's not possible to get more than 2^28 items into an hstore,`
`53`		`- * so we reserve the top few bits of the size field. See hstore_compat.c`
`54`		`- * for one reason why.Some bits are left for future use here.`
	`52`	`+ * It's not possible to get more than 2^28 items into an hstore, so we reserve`
	`53`	`+ * the top few bits of the size field. See hstore_compat.c for one reason`
	`54`	`+ * why. Some bits are left for future use here. MaxAllocSize makes the`
	`55`	`+ * practical count limit slightly more than 2^28 / 3, or INT_MAX / 24, the`
	`56`	`+ * limit for an hstore full of 4-byte keys and null values. Therefore, we`
	`57`	`+ * don't explicitly check the format-imposed limit.`
`55`	`58`	`*/`
`56`	`59`	`#defineHS_FLAG_NEWVERSION 0x80000000`
`57`	`60`
`58`	`61`	`#defineHS_COUNT(hsp_) ((hsp_)->size_ & 0x0FFFFFFF)`
`59`	`62`	`#defineHS_SETCOUNT(hsp_,c_) ((hsp_)->size_ = (c_) \| HS_FLAG_NEWVERSION)`
`60`	`63`
`61`	`64`
	`65`	`+/*`
	`66`	`+ * "x" comes from an existing HS_COUNT() (as discussed, <= INT_MAX/24) or a`
	`67`	`+ * Pairs array length (due to MaxAllocSize, <= INT_MAX/40). "lenstr" is no`
	`68`	`+ * more than INT_MAX, that extreme case arising in hstore_from_arrays().`
	`69`	`+ * Therefore, this calculation is limited to about INT_MAX / 5 + INT_MAX.`
	`70`	`+ */`
`62`	`71`	`#defineHSHRDSIZE(sizeof(HStore))`
`63`	`72`	`#defineCALCDATASIZE(x,lenstr) ( (x) * 2 * sizeof(HEntry) + HSHRDSIZE + (lenstr) )`
`64`	`73`

`‎contrib/hstore/hstore_io.c`

Lines changed: 21 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@`
`9`	`9`	`#include"funcapi.h"`
`10`	`10`	`#include"libpq/pqformat.h"`
`11`	`11`	`#include"utils/lsyscache.h"`
	`12`	`+#include"utils/memutils.h"`
`12`	`13`	`#include"utils/typcache.h"`
`13`	`14`
`14`	`15`	`#include"hstore.h"`
`@@ -437,6 +438,11 @@ hstore_recv(PG_FUNCTION_ARGS)`
`437`	`438`	`PG_RETURN_POINTER(out);`
`438`	`439`	`}`
`439`	`440`
	`441`	`+if (pcount<0\|\|pcount>MaxAllocSize /sizeof(Pairs))`
	`442`	`+ereport(ERROR,`
	`443`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`444`	`+errmsg("number of pairs (%d) exceeds the maximum allowed (%d)",`
	`445`	`+pcount, (int) (MaxAllocSize /sizeof(Pairs)))));`
`440`	`446`	`pairs=palloc(pcount*sizeof(Pairs));`
`441`	`447`
`442`	`448`	`for (i=0;i<pcount;++i)`
`@@ -552,6 +558,13 @@ hstore_from_arrays(PG_FUNCTION_ARGS)`
`552`	`558`	`TEXTOID,-1, false,'i',`
`553`	`559`	`&key_datums,&key_nulls,&key_count);`
`554`	`560`
	`561`	`+/* see discussion in hstoreArrayToPairs() */`
	`562`	`+if (key_count>MaxAllocSize /sizeof(Pairs))`
	`563`	`+ereport(ERROR,`
	`564`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`565`	`+errmsg("number of pairs (%d) exceeds the maximum allowed (%d)",`
	`566`	`+key_count, (int) (MaxAllocSize /sizeof(Pairs)))));`
	`567`	`+`
`555`	`568`	`/* value_array might be NULL */`
`556`	`569`
`557`	`570`	`if (PG_ARGISNULL(1))`
`@@ -674,6 +687,13 @@ hstore_from_array(PG_FUNCTION_ARGS)`
`674`	`687`
`675`	`688`	`count=in_count /2;`
`676`	`689`
	`690`	`+/* see discussion in hstoreArrayToPairs() */`
	`691`	`+if (count>MaxAllocSize /sizeof(Pairs))`
	`692`	`+ereport(ERROR,`
	`693`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`694`	`+errmsg("number of pairs (%d) exceeds the maximum allowed (%d)",`
	`695`	`+count, (int) (MaxAllocSize /sizeof(Pairs)))));`
	`696`	`+`
`677`	`697`	`pairs=palloc(count*sizeof(Pairs));`
`678`	`698`
`679`	`699`	`for (i=0;i<count;++i)`
`@@ -805,6 +825,7 @@ hstore_from_record(PG_FUNCTION_ARGS)`
`805`	`825`	`my_extra->ncolumns=ncolumns;`
`806`	`826`	`}`
`807`	`827`
	`828`	`+Assert(ncolumns <=MaxTupleAttributeNumber);/* thus, no overflow */`
`808`	`829`	`pairs=palloc(ncolumns*sizeof(Pairs));`
`809`	`830`
`810`	`831`	`if (rec)`

`‎contrib/hstore/hstore_op.c`

Lines changed: 15 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@`
`7`	`7`	`#include"catalog/pg_type.h"`
`8`	`8`	`#include"funcapi.h"`
`9`	`9`	`#include"utils/builtins.h"`
	`10`	`+#include"utils/memutils.h"`
`10`	`11`
`11`	`12`	`#include"hstore.h"`
`12`	`13`
`@@ -89,6 +90,19 @@ hstoreArrayToPairs(ArrayType a, int npairs)`
`89`	`90`	`returnNULL;`
`90`	`91`	`}`
`91`	`92`
	`93`	`+/*`
	`94`	`+ * A text array uses at least eight bytes per element, so any overflow in`
	`95`	`+ * "key_count * sizeof(Pairs)" is small enough for palloc() to catch.`
	`96`	`+ * However, credible improvements to the array format could invalidate`
	`97`	`+ * that assumption. Therefore, use an explicit check rather than relying`
	`98`	`+ * on palloc() to complain.`
	`99`	`+ */`
	`100`	`+if (key_count>MaxAllocSize /sizeof(Pairs))`
	`101`	`+ereport(ERROR,`
	`102`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`103`	`+errmsg("number of pairs (%d) exceeds the maximum allowed (%d)",`
	`104`	`+key_count, (int) (MaxAllocSize /sizeof(Pairs)))));`
	`105`	`+`
`92`	`106`	`key_pairs=palloc(sizeof(Pairs)*key_count);`
`93`	`107`
`94`	`108`	`for (i=0,j=0;i<key_count;i++)`
`@@ -647,6 +661,7 @@ hstore_slice_to_hstore(PG_FUNCTION_ARGS)`
`647`	`661`	`PG_RETURN_POINTER(out);`
`648`	`662`	`}`
`649`	`663`
	`664`	`+/* hstoreArrayToPairs() checked overflow */`
`650`	`665`	`out_pairs=palloc(sizeof(Pairs)*nkeys);`
`651`	`666`	`bufsiz=0;`
`652`	`667`

`‎contrib/intarray/_int.h`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`#define___INT_H__`
`6`	`6`
`7`	`7`	`#include"utils/array.h"`
	`8`	`+#include"utils/memutils.h"`
`8`	`9`
`9`	`10`	`/* number ranges for compression */`
`10`	`11`	`#defineMAXNUMRANGE 100`
`@@ -137,6 +138,7 @@ typedef struct QUERYTYPE`
`137`	`138`
`138`	`139`	`#defineHDRSIZEQToffsetof(QUERYTYPE, items)`
`139`	`140`	`#defineCOMPUTESIZE(size)( HDRSIZEQT + (size) * sizeof(ITEM) )`
	`141`	`+#defineQUERYTYPEMAXITEMS((MaxAllocSize - HDRSIZEQT) / sizeof(ITEM))`
`140`	`142`	`#defineGETQUERY(x) ( (x)->items )`
`141`	`143`
`142`	`144`	`/* "type" codes for ITEM */`

`‎contrib/intarray/_int_bool.c`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -451,6 +451,9 @@ boolop(PG_FUNCTION_ARGS)`
`451`	`451`	`staticvoid`
`452`	`452`	`findoprnd(ITEMptr,int4pos)`
`453`	`453`	`{`
	`454`	`+/* since this function recurses, it could be driven to stack overflow. */`
	`455`	`+check_stack_depth();`
	`456`	`+`
`454`	`457`	`#ifdefBS_DEBUG`
`455`	`458`	`elog(DEBUG3, (ptr[*pos].type==OPR) ?`
`456`	`459`	`"%d %c" :"%d %d",pos,ptr[pos].val);`
`@@ -511,7 +514,13 @@ bqarr_in(PG_FUNCTION_ARGS)`
`511`	`514`	`(errcode(ERRCODE_INVALID_PARAMETER_VALUE),`
`512`	`515`	`errmsg("empty query")));`
`513`	`516`
	`517`	`+if (state.num>QUERYTYPEMAXITEMS)`
	`518`	`+ereport(ERROR,`
	`519`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`520`	`+errmsg("number of query items (%d) exceeds the maximum allowed (%d)",`
	`521`	`+state.num, (int)QUERYTYPEMAXITEMS)));`
`514`	`522`	`commonlen=COMPUTESIZE(state.num);`
	`523`	`+`
`515`	`524`	`query= (QUERYTYPE*)palloc(commonlen);`
`516`	`525`	`SET_VARSIZE(query,commonlen);`
`517`	`526`	`query->size=state.num;`

`‎contrib/ltree/ltree.h`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`
`6`	`6`	`#include"fmgr.h"`
`7`	`7`	`#include"tsearch/ts_locale.h"`
	`8`	`+#include"utils/memutils.h"`
`8`	`9`
`9`	`10`	`typedefstruct`
`10`	`11`	`{`
`@@ -111,6 +112,8 @@ typedef struct`
`111`	`112`
`112`	`113`	`#defineHDRSIZEQTMAXALIGN(VARHDRSZ + sizeof(int4))`
`113`	`114`	`#defineCOMPUTESIZE(size,lenofoperand)( HDRSIZEQT + (size) * sizeof(ITEM) + (lenofoperand) )`
	`115`	`+#defineLTXTQUERY_TOO_BIG(size,lenofoperand) \`
	`116`	`+((size) > (MaxAllocSize - HDRSIZEQT - (lenofoperand)) / sizeof(ITEM))`
`114`	`117`	`#defineGETQUERY(x) (ITEM)( (char)(x)+HDRSIZEQT )`
`115`	`118`	`#defineGETOPERAND(x)( (char)GETQUERY(x) + ((ltxtquery)x)->size * sizeof(ITEM) )`
`116`	`119`

`‎contrib/ltree/ltree_io.c`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@`
`8`	`8`	`#include<ctype.h>`
`9`	`9`
`10`	`10`	`#include"ltree.h"`
	`11`	`+#include"utils/memutils.h"`
`11`	`12`	`#include"crc32.h"`
`12`	`13`
`13`	`14`	`PG_FUNCTION_INFO_V1(ltree_in);`
`@@ -64,6 +65,11 @@ ltree_in(PG_FUNCTION_ARGS)`
`64`	`65`	`ptr+=charlen;`
`65`	`66`	`}`
`66`	`67`
	`68`	`+if (num+1>MaxAllocSize /sizeof(nodeitem))`
	`69`	`+ereport(ERROR,`
	`70`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`71`	`+errmsg("number of levels (%d) exceeds the maximum allowed (%d)",`
	`72`	`+num+1, (int) (MaxAllocSize /sizeof(nodeitem)))));`
`67`	`73`	`list=lptr= (nodeitem)palloc(sizeof(nodeitem) (num+1));`
`68`	`74`	`ptr=buf;`
`69`	`75`	`while (*ptr)`
`@@ -228,6 +234,11 @@ lquery_in(PG_FUNCTION_ARGS)`
`228`	`234`	`}`
`229`	`235`
`230`	`236`	`num++;`
	`237`	`+if (num>MaxAllocSize /ITEMSIZE)`
	`238`	`+ereport(ERROR,`
	`239`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`240`	`+errmsg("number of levels (%d) exceeds the maximum allowed (%d)",`
	`241`	`+num, (int) (MaxAllocSize /ITEMSIZE))));`
`231`	`242`	`curqlevel=tmpql= (lquery_level)palloc0(ITEMSIZEnum);`
`232`	`243`	`ptr=buf;`
`233`	`244`	`while (*ptr)`

`‎contrib/ltree/ltxtquery_io.c`

Lines changed: 12 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@`
`9`	`9`
`10`	`10`	`#include"crc32.h"`
`11`	`11`	`#include"ltree.h"`
	`12`	`+#include"miscadmin.h"`
`12`	`13`
`13`	`14`	`PG_FUNCTION_INFO_V1(ltxtq_in);`
`14`	`15`	`Datumltxtq_in(PG_FUNCTION_ARGS);`
`@@ -213,6 +214,9 @@ makepol(QPRS_STATE *state)`
`213`	`214`	`int4lenstack=0;`
`214`	`215`	`uint16flag=0;`
`215`	`216`
	`217`	`+/* since this function recurses, it could be driven to stack overflow */`
	`218`	`+check_stack_depth();`
	`219`	`+`
`216`	`220`	`while ((type=gettoken_query(state,&val,&lenval,&strval,&flag))!=END)`
`217`	`221`	`{`
`218`	`222`	`switch (type)`
`@@ -277,6 +281,9 @@ makepol(QPRS_STATE *state)`
`277`	`281`	`staticvoid`
`278`	`282`	`findoprnd(ITEMptr,int4pos)`
`279`	`283`	`{`
	`284`	`+/* since this function recurses, it could be driven to stack overflow. */`
	`285`	`+check_stack_depth();`
	`286`	`+`
`280`	`287`	`if (ptr[pos].type==VAL\|\|ptr[pos].type==VALTRUE)`
`281`	`288`	`{`
`282`	`289`	`ptr[*pos].left=0;`
`@@ -341,8 +348,12 @@ queryin(char *buf)`
`341`	`348`	`errmsg("syntax error"),`
`342`	`349`	`errdetail("Empty query.")));`
`343`	`350`
`344`		`-/* make finish struct */`
	`351`	`+if (LTXTQUERY_TOO_BIG(state.num,state.sumlen))`
	`352`	`+ereport(ERROR,`
	`353`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`354`	`+errmsg("ltxtquery is too large")));`
`345`	`355`	`commonlen=COMPUTESIZE(state.num,state.sumlen);`
	`356`	`+`
`346`	`357`	`query= (ltxtquery*)palloc(commonlen);`
`347`	`358`	`SET_VARSIZE(query,commonlen);`
`348`	`359`	`query->size=state.num;`

`‎src/backend/utils/adt/geo_ops.c`

Lines changed: 28 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1403,6 +1403,7 @@ path_in(PG_FUNCTION_ARGS)`
`1403`	`1403`	`char*s;`
`1404`	`1404`	`intnpts;`
`1405`	`1405`	`intsize;`
	`1406`	`+intbase_size;`
`1406`	`1407`	`intdepth=0;`
`1407`	`1408`
`1408`	`1409`	`if ((npts=pair_count(str,',')) <=0)`
`@@ -1421,7 +1422,15 @@ path_in(PG_FUNCTION_ARGS)`
`1421`	`1422`	`depth++;`
`1422`	`1423`	`}`
`1423`	`1424`
`1424`		`-size= offsetof(PATH,p[0])+sizeof(path->p[0])*npts;`
	`1425`	`+base_size=sizeof(path->p[0])*npts;`
	`1426`	`+size= offsetof(PATH,p[0])+base_size;`
	`1427`	`+`
	`1428`	`+/* Check for integer overflow */`
	`1429`	`+if (base_size /npts!=sizeof(path->p[0])\|\|size <=base_size)`
	`1430`	`+ereport(ERROR,`
	`1431`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`1432`	`+errmsg("too many points requested")));`
	`1433`	`+`
`1425`	`1434`	`path= (PATH*)palloc(size);`
`1426`	`1435`
`1427`	`1436`	`SET_VARSIZE(path,size);`
`@@ -3465,6 +3474,7 @@ poly_in(PG_FUNCTION_ARGS)`
`3465`	`3474`	`POLYGON*poly;`
`3466`	`3475`	`intnpts;`
`3467`	`3476`	`intsize;`
	`3477`	`+intbase_size;`
`3468`	`3478`	`intisopen;`
`3469`	`3479`	`char*s;`
`3470`	`3480`
`@@ -3473,7 +3483,15 @@ poly_in(PG_FUNCTION_ARGS)`
`3473`	`3483`	`(errcode(ERRCODE_INVALID_TEXT_REPRESENTATION),`
`3474`	`3484`	`errmsg("invalid input syntax for type polygon: \"%s\"",str)));`
`3475`	`3485`
`3476`		`-size= offsetof(POLYGON,p[0])+sizeof(poly->p[0])*npts;`
	`3486`	`+base_size=sizeof(poly->p[0])*npts;`
	`3487`	`+size= offsetof(POLYGON,p[0])+base_size;`
	`3488`	`+`
	`3489`	`+/* Check for integer overflow */`
	`3490`	`+if (base_size /npts!=sizeof(poly->p[0])\|\|size <=base_size)`
	`3491`	`+ereport(ERROR,`
	`3492`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`3493`	`+errmsg("too many points requested")));`
	`3494`	`+`
`3477`	`3495`	`poly= (POLYGON)palloc0(size);/ zero any holes */`
`3478`	`3496`
`3479`	`3497`	`SET_VARSIZE(poly,size);`
`@@ -4379,6 +4397,10 @@ path_poly(PG_FUNCTION_ARGS)`
`4379`	`4397`	`(errcode(ERRCODE_INVALID_PARAMETER_VALUE),`
`4380`	`4398`	`errmsg("open path cannot be converted to polygon")));`
`4381`	`4399`
	`4400`	`+/*`
	`4401`	`+ * Never overflows: the old size fit in MaxAllocSize, and the new size is`
	`4402`	`+ * just a small constant larger.`
	`4403`	`+ */`
`4382`	`4404`	`size= offsetof(POLYGON,p[0])+sizeof(poly->p[0])*path->npts;`
`4383`	`4405`	`poly= (POLYGON*)palloc(size);`
`4384`	`4406`
`@@ -4484,6 +4506,10 @@ poly_path(PG_FUNCTION_ARGS)`
`4484`	`4506`	`intsize;`
`4485`	`4507`	`inti;`
`4486`	`4508`
	`4509`	`+/*`
	`4510`	`+ * Never overflows: the old size fit in MaxAllocSize, and the new size is`
	`4511`	`+ * smaller by a small constant.`
	`4512`	`+ */`
`4487`	`4513`	`size= offsetof(PATH,p[0])+sizeof(path->p[0])*poly->npts;`
`4488`	`4514`	`path= (PATH*)palloc(size);`
`4489`	`4515`

`‎src/backend/utils/adt/tsquery.c`

Lines changed: 6 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -515,8 +515,13 @@ parse_tsquery(char *buf,`
`515`	`515`	`returnquery;`
`516`	`516`	`}`
`517`	`517`
`518`		`-/* Pack the QueryItems in the final TSQuery struct to return to caller */`
	`518`	`+if (TSQUERY_TOO_BIG(list_length(state.polstr),state.sumlen))`
	`519`	`+ereport(ERROR,`
	`520`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`521`	`+errmsg("tsquery is too large")));`
`519`	`522`	`commonlen=COMPUTESIZE(list_length(state.polstr),state.sumlen);`
	`523`	`+`
	`524`	`+/* Pack the QueryItems in the final TSQuery struct to return to caller */`
`520`	`525`	`query= (TSQuery)palloc0(commonlen);`
`521`	`526`	`SET_VARSIZE(query,commonlen);`
`522`	`527`	`query->size=list_length(state.polstr);`

`‎src/backend/utils/adt/tsquery_util.c`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -333,6 +333,11 @@ QTN2QT(QTNode *in)`
`333`	`333`	`QTN2QTStatestate;`
`334`	`334`
`335`	`335`	`cntsize(in,&sumlen,&nnode);`
	`336`	`+`
	`337`	`+if (TSQUERY_TOO_BIG(nnode,sumlen))`
	`338`	`+ereport(ERROR,`
	`339`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`340`	`+errmsg("tsquery is too large")));`
`336`	`341`	`len=COMPUTESIZE(nnode,sumlen);`
`337`	`342`
`338`	`343`	`out= (TSQuery)palloc0(len);`

`‎src/backend/utils/adt/txid.c`

Lines changed: 5 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@`
`27`	`27`	`#include"miscadmin.h"`
`28`	`28`	`#include"libpq/pqformat.h"`
`29`	`29`	`#include"utils/builtins.h"`
	`30`	`+#include"utils/memutils.h"`
`30`	`31`	`#include"utils/snapmgr.h"`
`31`	`32`
`32`	`33`
`@@ -66,6 +67,8 @@ typedef struct`
`66`	`67`
`67`	`68`	`#defineTXID_SNAPSHOT_SIZE(nxip) \`
`68`	`69`	`(offsetof(TxidSnapshot, xip) + sizeof(txid) * (nxip))`
	`70`	`+#defineTXID_SNAPSHOT_MAX_NXIP \`
	`71`	`+((MaxAllocSize - offsetof(TxidSnapshot, xip)) / sizeof(txid))`
`69`	`72`
`70`	`73`	`/*`
`71`	`74`	`* Epoch values from xact.c`
`@@ -445,20 +448,12 @@ txid_snapshot_recv(PG_FUNCTION_ARGS)`
`445`	`448`	`txidlast=0;`
`446`	`449`	`intnxip;`
`447`	`450`	`inti;`
`448`		`-intavail;`
`449`		`-intexpect;`
`450`	`451`	`txidxmin,`
`451`	`452`	`xmax;`
`452`	`453`
`453`		`-/*`
`454`		`- * load nxip and check for nonsense.`
`455`		`- *`
`456`		`- * (nxip > avail) check is against int overflows in 'expect'.`
`457`		`- */`
	`454`	`+/* load and validate nxip */`
`458`	`455`	`nxip=pq_getmsgint(buf,4);`
`459`		`-avail=buf->len-buf->cursor;`
`460`		`-expect=8+8+nxip*8;`
`461`		`-if (nxip<0\|\|nxip>avail\|\|expect>avail)`
	`456`	`+if (nxip<0\|\|nxip>TXID_SNAPSHOT_MAX_NXIP)`
`462`	`457`	`gotobad_format;`
`463`	`458`
`464`	`459`	`xmin=pq_getmsgint64(buf);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit12bbce1

File tree

15 files changed

15 files changed

`‎contrib/hstore/hstore.h`

`‎contrib/hstore/hstore_io.c`

`‎contrib/hstore/hstore_op.c`

`‎contrib/intarray/_int.h`

`‎contrib/intarray/_int_bool.c`

`‎contrib/ltree/ltree.h`

`‎contrib/ltree/ltree_io.c`

`‎contrib/ltree/ltxtquery_io.c`

`‎src/backend/utils/adt/geo_ops.c`

`‎src/backend/utils/adt/tsquery.c`

`‎src/backend/utils/adt/tsquery_util.c`

`‎src/backend/utils/adt/txid.c`

0 commit comments