NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitd35cd06

committed

Fix overflow in parsing of positional parameter

Replace atol with pg_strtoint32_safe in the backend parser and withstrtoint in ECPG to reject overflows when parsing the number of apositional parameter. With atol from glibc, parameters $2147483648 and$4294967297 turn into $-2147483648 and $1, respectively.Author: Erik Wienhold <ewie@ewie.name>Reviewed-by: Michael Paquier <michael@paquier.xyz>Reviewed-by: Peter Eisentraut <peter@eisentraut.org>Reviewed-by: Alexander Lakhin <exclusion@gmail.com>Discussion:https://www.postgresql.org/message-id/flat/5d216d1c-91f6-4cbe-95e2-b4cbd930520c@ewie.name

1 parent4867f8a commitd35cd06Copy full SHA for d35cd06

File tree

4 files changed

+19

-2

lines changed

src
- backend/parser
  - scan.l
- interfaces/ecpg/preproc
  - pgc.l
- test/regress
  - expected
    - numerology.out
  - sql
    - numerology.sql

4 files changed

+19

-2

lines changed

`‎src/backend/parser/scan.l`

Lines changed: 7 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -992,8 +992,14 @@ other.`
`992`	`992`	`}`
`993`	`993`
`994`	`994`	`{param}{`
	`995`	`+ErrorSaveContext escontext = {T_ErrorSaveContext};`
	`996`	`+int32val;`
	`997`	`+`
`995`	`998`	`SET_YYLLOC();`
`996`		`-yylval->ival =atol(yytext +1);`
	`999`	`+val =pg_strtoint32_safe(yytext +1, (Node *) &escontext);`
	`1000`	`+if (escontext.error_occurred)`
	`1001`	`+yyerror("parameter number too large");`
	`1002`	`+yylval->ival = val;`
`997`	`1003`	`return PARAM;`
`998`	`1004`	`}`
`999`	`1005`	`{param_junk}{`

`‎src/interfaces/ecpg/preproc/pgc.l`

Lines changed: 7 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -938,7 +938,13 @@ cppline{space}#([^i][A-Za-z]\|{if}\|{ifdef}\|{ifndef}\|{import})((\/\[^/]\+`
`938`	`938`	`}`
`939`	`939`
`940`	`940`	`{param}{`
`941`		`-base_yylval.ival =atol(yytext+1);`
	`941`	`+intval;`
	`942`	`+`
	`943`	`+errno =0;`
	`944`	`+val =strtoint(yytext +1,NULL,10);`
	`945`	`+if (errno == ERANGE)`
	`946`	`+mmfatal(PARSE_ERROR,"parameter number too large");`
	`947`	`+base_yylval.ival = val;`
`942`	`948`	`return PARAM;`
`943`	`949`	`}`
`944`	`950`	`{param_junk}{`

`‎src/test/regress/expected/numerology.out`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -206,6 +206,10 @@ PREPARE p1 AS SELECT $1a;`
`206`	`206`	`ERROR: trailing junk after parameter at or near "$1a"`
`207`	`207`	`LINE 1: PREPARE p1 AS SELECT $1a;`
`208`	`208`	`^`
	`209`	`+PREPARE p1 AS SELECT $2147483648;`
	`210`	`+ERROR: parameter number too large at or near "$2147483648"`
	`211`	`+LINE 1: PREPARE p1 AS SELECT $2147483648;`
	`212`	`+ ^`
`209`	`213`	`SELECT 0b;`
`210`	`214`	`ERROR: invalid binary integer at or near "0b"`
`211`	`215`	`LINE 1: SELECT 0b;`

`‎src/test/regress/sql/numerology.sql`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,7 @@ SELECT 0.0e1a;`
`52`	`52`	`SELECT0.0e;`
`53`	`53`	`SELECT0.0e+a;`
`54`	`54`	`PREPARE p1ASSELECT $1a;`
	`55`	`+PREPARE p1ASSELECT $2147483648;`
`55`	`56`
`56`	`57`	`SELECT 0b;`
`57`	`58`	`SELECT 1b;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitd35cd06

File tree

4 files changed

4 files changed

`‎src/backend/parser/scan.l`

`‎src/interfaces/ecpg/preproc/pgc.l`

`‎src/test/regress/expected/numerology.out`

`‎src/test/regress/sql/numerology.sql`

0 commit comments