NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit81eaaf6

committed

Handle zero-length sublist correctly in Python -> SQL array conversion.

If PLySequence_ToArray came across a zero-length sublist, it'd computethe overall array size as zero, possibly leading to a memory clobber.(This would likely qualify as a security bug, were it not that plpythonis an untrusted language already.)I think there are other corner-case issues in this code as well, notablythat the error messages don't match the core code and for some rangesof array sizes you'd get "invalid memory alloc request size" rather thanthe intended message about array size.Really this code has no business doing its own array size calculationat all, so remove the faulty code in favor of using ArrayGetNItems().Per bug #17912 from Alexander Lakhin. Bug seems to have come in withcommit94aceed, so back-patch to all supported branches.Discussion:https://postgr.es/m/17912-82ceed78731d9cdc@postgresql.org

1 parent4dadd66 commit81eaaf6Copy full SHA for 81eaaf6

File tree

3 files changed

+23

-16

lines changed

src/pl/plpython
- expected
  - plpython_types.out
- plpy_typeio.c
- sql
  - plpython_types.sql

3 files changed

+23

-16

lines changed

`‎src/pl/plpython/expected/plpython_types.out`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -687,6 +687,15 @@ SELECT * FROM test_type_conversion_array_mixed2();`
`687`	`687`	`ERROR: invalid input syntax for type integer: "abc"`
`688`	`688`	`CONTEXT: while creating return value`
`689`	`689`	`PL/Python function "test_type_conversion_array_mixed2"`
	`690`	`+CREATE FUNCTION test_type_conversion_array_mixed3() RETURNS text[] AS $$`
	`691`	`+return [[], 'a']`
	`692`	`+$$ LANGUAGE plpython3u;`
	`693`	`+SELECT * FROM test_type_conversion_array_mixed3();`
	`694`	`+ test_type_conversion_array_mixed3`
	`695`	`+-----------------------------------`
	`696`	`+ {[],a}`
	`697`	`+(1 row)`
	`698`	`+`
`690`	`699`	`CREATE FUNCTION test_type_conversion_mdarray_malformed() RETURNS int[] AS $$`
`691`	`700`	`return [[1,2,3],[4,5]]`
`692`	`701`	`$$ LANGUAGE plpython3u;`

`‎src/pl/plpython/plpy_typeio.c`

Lines changed: 7 additions & 16 deletions

Original file line number	Diff line number	Diff line change
`@@ -1136,7 +1136,7 @@ PLySequence_ToArray(PLyObToDatum arg, PyObject plrv,`
`1136`	`1136`	`inti;`
`1137`	`1137`	`Datum*elems;`
`1138`	`1138`	`bool*nulls;`
`1139`		`-int64len;`
	`1139`	`+intlen;`
`1140`	`1140`	`intndim;`
`1141`	`1141`	`intdims[MAXDIM];`
`1142`	`1142`	`intlbs[MAXDIM];`
`@@ -1155,7 +1155,6 @@ PLySequence_ToArray(PLyObToDatum arg, PyObject plrv,`
`1155`	`1155`	`* Determine the number of dimensions, and their sizes.`
`1156`	`1156`	`*/`
`1157`	`1157`	`ndim=0;`
`1158`		`-len=1;`
`1159`	`1158`
`1160`	`1159`	`Py_INCREF(plrv);`
`1161`	`1160`
`@@ -1174,17 +1173,6 @@ PLySequence_ToArray(PLyObToDatum arg, PyObject plrv,`
`1174`	`1173`	`if (dims[ndim]<0)`
`1175`	`1174`	`PLy_elog(ERROR,"could not determine sequence length for function return value");`
`1176`	`1175`
`1177`		`-if (dims[ndim]>MaxAllocSize)`
`1178`		`-ereport(ERROR,`
`1179`		`-(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
`1180`		`-errmsg("array size exceeds the maximum allowed")));`
`1181`		`-`
`1182`		`-len *=dims[ndim];`
`1183`		`-if (len>MaxAllocSize)`
`1184`		`-ereport(ERROR,`
`1185`		`-(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
`1186`		`-errmsg("array size exceeds the maximum allowed")));`
`1187`		`-`
`1188`	`1176`	`if (dims[ndim]==0)`
`1189`	`1177`	`{`
`1190`	`1178`	`/* empty sequence */`
`@@ -1214,15 +1202,18 @@ PLySequence_ToArray(PLyObToDatum arg, PyObject plrv,`
`1214`	`1202`	`errmsg("return value of function with array return type is not a Python sequence")));`
`1215`	`1203`
`1216`	`1204`	`ndim=1;`
`1217`		`-len=dims[0]=PySequence_Length(plrv);`
	`1205`	`+dims[0]=PySequence_Length(plrv);`
`1218`	`1206`	`}`
`1219`	`1207`
	`1208`	`+/* Allocate space for work arrays, after detecting array size overflow */`
	`1209`	`+len=ArrayGetNItems(ndim,dims);`
	`1210`	`+elems=palloc(sizeof(Datum)*len);`
	`1211`	`+nulls=palloc(sizeof(bool)*len);`
	`1212`	`+`
`1220`	`1213`	`/*`
`1221`	`1214`	`* Traverse the Python lists, in depth-first order, and collect all the`
`1222`	`1215`	`* elements at the bottom level into 'elems'/'nulls' arrays.`
`1223`	`1216`	`*/`
`1224`		`-elems=palloc(sizeof(Datum)*len);`
`1225`		`-nulls=palloc(sizeof(bool)*len);`
`1226`	`1217`	`currelem=0;`
`1227`	`1218`	`PLySequence_ToArray_recurse(arg->u.array.elm,plrv,`
`1228`	`1219`	`dims,ndim,0,`

`‎src/pl/plpython/sql/plpython_types.sql`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -328,6 +328,13 @@ $$ LANGUAGE plpython3u;`
`328`	`328`
`329`	`329`	`SELECT*FROM test_type_conversion_array_mixed2();`
`330`	`330`
	`331`	`+CREATEFUNCTIONtest_type_conversion_array_mixed3() RETURNStext[]AS $$`
	`332`	`+return [[],'a']`
	`333`	`+$$ LANGUAGE plpython3u;`
	`334`	`+`
	`335`	`+SELECT*FROM test_type_conversion_array_mixed3();`
	`336`	`+`
	`337`	`+`
`331`	`338`	`CREATEFUNCTIONtest_type_conversion_mdarray_malformed() RETURNSint[]AS $$`
`332`	`339`	`return [[1,2,3],[4,5]]`
`333`	`340`	`$$ LANGUAGE plpython3u;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit81eaaf6

File tree

3 files changed

3 files changed

`‎src/pl/plpython/expected/plpython_types.out`

`‎src/pl/plpython/plpy_typeio.c`

`‎src/pl/plpython/sql/plpython_types.sql`

0 commit comments