Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit4fb6478

Browse files
committed
Add defenses against running with a wrong selection of LOBLKSIZE.
It's critical that the backend's idea of LOBLKSIZE match the way data hasactually been divided up in pg_largeobject. While we don't provide anydirect way to adjust that value, doing so is a one-line source code changeand various people have expressed interest recently in changing it. So,just as with TOAST_MAX_CHUNK_SIZE, it seems prudent to record the value inpg_control and cross-check that the backend's compiled-in setting matchesthe on-disk data.Also tweak the code in inv_api.c so that fetches from pg_largeobjectexplicitly verify that the length of the data field is not more thanLOBLKSIZE. Formerly we just had Asserts() for that, which is no protectionat all in production builds. In some of the call sites an overlength datavalue would translate directly to a security-relevant stack clobber, so itseems worth one extra runtime comparison to be sure.In the back branches, we can't change the contents of pg_control; but wecan still make the extra checks in inv_api.c, which will offer some amountof protection against running with the wrong value of LOBLKSIZE.
1 parent315442c commit4fb6478

File tree

1 file changed

+39
-45
lines changed

1 file changed

+39
-45
lines changed

‎src/backend/storage/large_object/inv_api.c

Lines changed: 39 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -171,13 +171,38 @@ myLargeObjectExists(Oid loid, Snapshot snapshot)
171171
}
172172

173173

174-
staticint32
175-
getbytealen(bytea*data)
174+
/*
175+
* Extract data field from a pg_largeobject tuple, detoasting if needed
176+
* and verifying that the length is sane. Returns data pointer (a bytea *),
177+
* data length, and an indication of whether to pfree the data pointer.
178+
*/
179+
staticvoid
180+
getdatafield(Form_pg_largeobjecttuple,
181+
bytea**pdatafield,
182+
int*plen,
183+
bool*pfreeit)
176184
{
177-
Assert(!VARATT_IS_EXTENDED(data));
178-
if (VARSIZE(data)<VARHDRSZ)
179-
elog(ERROR,"invalid VARSIZE(data)");
180-
return (VARSIZE(data)-VARHDRSZ);
185+
bytea*datafield;
186+
intlen;
187+
boolfreeit;
188+
189+
datafield=&(tuple->data);/* see note at top of file */
190+
freeit= false;
191+
if (VARATT_IS_EXTENDED(datafield))
192+
{
193+
datafield= (bytea*)
194+
heap_tuple_untoast_attr((structvarlena*)datafield);
195+
freeit= true;
196+
}
197+
len=VARSIZE(datafield)-VARHDRSZ;
198+
if (len<0||len>LOBLKSIZE)
199+
ereport(ERROR,
200+
(errcode(ERRCODE_DATA_CORRUPTED),
201+
errmsg("pg_largeobject entry for OID %u, page %d has invalid data field size %d",
202+
tuple->loid,tuple->pageno,len)));
203+
*pdatafield=datafield;
204+
*plen=len;
205+
*pfreeit=freeit;
181206
}
182207

183208

@@ -363,20 +388,14 @@ inv_getsize(LargeObjectDesc *obj_desc)
363388
{
364389
Form_pg_largeobjectdata;
365390
bytea*datafield;
391+
intlen;
366392
boolpfreeit;
367393

368394
if (HeapTupleHasNulls(tuple))/* paranoia */
369395
elog(ERROR,"null field found in pg_largeobject");
370396
data= (Form_pg_largeobject)GETSTRUCT(tuple);
371-
datafield=&(data->data);/* see note at top of file */
372-
pfreeit= false;
373-
if (VARATT_IS_EXTENDED(datafield))
374-
{
375-
datafield= (bytea*)
376-
heap_tuple_untoast_attr((structvarlena*)datafield);
377-
pfreeit= true;
378-
}
379-
lastbyte=data->pageno*LOBLKSIZE+getbytealen(datafield);
397+
getdatafield(data,&datafield,&len,&pfreeit);
398+
lastbyte=data->pageno*LOBLKSIZE+len;
380399
if (pfreeit)
381400
pfree(datafield);
382401
}
@@ -491,15 +510,7 @@ inv_read(LargeObjectDesc *obj_desc, char *buf, int nbytes)
491510
off= (int) (obj_desc->offset-pageoff);
492511
Assert(off >=0&&off<LOBLKSIZE);
493512

494-
datafield=&(data->data);/* see note at top of file */
495-
pfreeit= false;
496-
if (VARATT_IS_EXTENDED(datafield))
497-
{
498-
datafield= (bytea*)
499-
heap_tuple_untoast_attr((structvarlena*)datafield);
500-
pfreeit= true;
501-
}
502-
len=getbytealen(datafield);
513+
getdatafield(data,&datafield,&len,&pfreeit);
503514
if (len>off)
504515
{
505516
n=len-off;
@@ -618,16 +629,7 @@ inv_write(LargeObjectDesc *obj_desc, const char *buf, int nbytes)
618629
*
619630
* First, load old data into workbuf
620631
*/
621-
datafield=&(olddata->data);/* see note at top of file */
622-
pfreeit= false;
623-
if (VARATT_IS_EXTENDED(datafield))
624-
{
625-
datafield= (bytea*)
626-
heap_tuple_untoast_attr((structvarlena*)datafield);
627-
pfreeit= true;
628-
}
629-
len=getbytealen(datafield);
630-
Assert(len <=LOBLKSIZE);
632+
getdatafield(olddata,&datafield,&len,&pfreeit);
631633
memcpy(workb,VARDATA(datafield),len);
632634
if (pfreeit)
633635
pfree(datafield);
@@ -803,19 +805,11 @@ inv_truncate(LargeObjectDesc *obj_desc, int len)
803805
if (olddata!=NULL&&olddata->pageno==pageno)
804806
{
805807
/* First, load old data into workbuf */
806-
bytea*datafield=&(olddata->data);/* see note at top of
807-
* file */
808-
boolpfreeit= false;
808+
bytea*datafield;
809809
intpagelen;
810+
boolpfreeit;
810811

811-
if (VARATT_IS_EXTENDED(datafield))
812-
{
813-
datafield= (bytea*)
814-
heap_tuple_untoast_attr((structvarlena*)datafield);
815-
pfreeit= true;
816-
}
817-
pagelen=getbytealen(datafield);
818-
Assert(pagelen <=LOBLKSIZE);
812+
getdatafield(olddata,&datafield,&pagelen,&pfreeit);
819813
memcpy(workb,VARDATA(datafield),pagelen);
820814
if (pfreeit)
821815
pfree(datafield);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp