Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit02ac305

Browse files
committed
Tweak libpq to avoid crashing due to incorrect buffer size calculation when
we are on a 64-bit machine (ie, size_t is wider than int) and someone passesin a query string that approaches or exceeds INT_MAX bytes. Also, just forparanoia's sake, guard against similar overflows in sizing the input buffer.The backend will not in the foreseeable future be prepared to send or receivestrings exceeding 1GB, so I didn't take the more invasive step of switchingall the buffer index variables from int to size_t; though someday we mightwant to do that.I have a suspicion that this is not the only such bug in libpq, but thisfix is enough to take care of the crash reported by Francisco Reyes.
1 parent5914140 commit02ac305

File tree

5 files changed

+30
-25
lines changed

5 files changed

+30
-25
lines changed

‎src/interfaces/libpq/fe-connect.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.358 2008/05/16 18:30:53 mha Exp $
11+
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.359 2008/05/29 22:02:44 tgl Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -1581,7 +1581,8 @@ PQconnectPoll(PGconn *conn)
15811581
* needed to hold the whole message; see notes in
15821582
* pqParseInput3.
15831583
*/
1584-
if (pqCheckInBufferSpace(conn->inCursor+msgLength,conn))
1584+
if (pqCheckInBufferSpace(conn->inCursor+ (size_t)msgLength,
1585+
conn))
15851586
gotoerror_return;
15861587
/* We'll come back when there is more data */
15871588
returnPGRES_POLLING_READING;

‎src/interfaces/libpq/fe-exec.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-exec.c,v 1.194 2008/01/01 19:46:00 momjian Exp $
11+
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-exec.c,v 1.195 2008/05/29 22:02:44 tgl Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -1685,7 +1685,8 @@ PQputCopyData(PGconn *conn, const char *buffer, int nbytes)
16851685
{
16861686
if (pqFlush(conn)<0)
16871687
return-1;
1688-
if (pqCheckOutBufferSpace(conn->outCount+5+nbytes,conn))
1688+
if (pqCheckOutBufferSpace(conn->outCount+5+ (size_t)nbytes,
1689+
conn))
16891690
returnpqIsnonblocking(conn) ?0 :-1;
16901691
}
16911692
/* Send the data (too simple to delegate to fe-protocol files) */

‎src/interfaces/libpq/fe-misc.c

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@
2323
* Portions Copyright (c) 1994, Regents of the University of California
2424
*
2525
* IDENTIFICATION
26-
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-misc.c,v 1.133 2008/01/01 19:46:00 momjian Exp $
26+
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-misc.c,v 1.134 2008/05/29 22:02:44 tgl Exp $
2727
*
2828
*-------------------------------------------------------------------------
2929
*/
@@ -278,12 +278,12 @@ pqPutInt(int value, size_t bytes, PGconn *conn)
278278
* Returns 0 on success, EOF if failed to enlarge buffer
279279
*/
280280
int
281-
pqCheckOutBufferSpace(intbytes_needed,PGconn*conn)
281+
pqCheckOutBufferSpace(size_tbytes_needed,PGconn*conn)
282282
{
283283
intnewsize=conn->outBufSize;
284284
char*newbuf;
285285

286-
if (bytes_needed <=newsize)
286+
if (bytes_needed <=(size_t)newsize)
287287
return0;
288288

289289
/*
@@ -296,9 +296,9 @@ pqCheckOutBufferSpace(int bytes_needed, PGconn *conn)
296296
do
297297
{
298298
newsize *=2;
299-
}while (bytes_needed>newsize&&newsize>0);
299+
}while (newsize>0&&bytes_needed>(size_t)newsize);
300300

301-
if (bytes_needed <=newsize)
301+
if (newsize>0&&bytes_needed <= (size_t)newsize)
302302
{
303303
newbuf=realloc(conn->outBuffer,newsize);
304304
if (newbuf)
@@ -314,9 +314,9 @@ pqCheckOutBufferSpace(int bytes_needed, PGconn *conn)
314314
do
315315
{
316316
newsize+=8192;
317-
}while (bytes_needed>newsize&&newsize>0);
317+
}while (newsize>0&&bytes_needed>(size_t)newsize);
318318

319-
if (bytes_needed <=newsize)
319+
if (newsize>0&&bytes_needed <= (size_t)newsize)
320320
{
321321
newbuf=realloc(conn->outBuffer,newsize);
322322
if (newbuf)
@@ -341,12 +341,12 @@ pqCheckOutBufferSpace(int bytes_needed, PGconn *conn)
341341
* Returns 0 on success, EOF if failed to enlarge buffer
342342
*/
343343
int
344-
pqCheckInBufferSpace(intbytes_needed,PGconn*conn)
344+
pqCheckInBufferSpace(size_tbytes_needed,PGconn*conn)
345345
{
346346
intnewsize=conn->inBufSize;
347347
char*newbuf;
348348

349-
if (bytes_needed <=newsize)
349+
if (bytes_needed <=(size_t)newsize)
350350
return0;
351351

352352
/*
@@ -359,9 +359,9 @@ pqCheckInBufferSpace(int bytes_needed, PGconn *conn)
359359
do
360360
{
361361
newsize *=2;
362-
}while (bytes_needed>newsize&&newsize>0);
362+
}while (newsize>0&&bytes_needed>(size_t)newsize);
363363

364-
if (bytes_needed <=newsize)
364+
if (newsize>0&&bytes_needed <= (size_t)newsize)
365365
{
366366
newbuf=realloc(conn->inBuffer,newsize);
367367
if (newbuf)
@@ -377,9 +377,9 @@ pqCheckInBufferSpace(int bytes_needed, PGconn *conn)
377377
do
378378
{
379379
newsize+=8192;
380-
}while (bytes_needed>newsize&&newsize>0);
380+
}while (newsize>0&&bytes_needed>(size_t)newsize);
381381

382-
if (bytes_needed <=newsize)
382+
if (newsize>0&&bytes_needed <= (size_t)newsize)
383383
{
384384
newbuf=realloc(conn->inBuffer,newsize);
385385
if (newbuf)
@@ -572,7 +572,7 @@ pqReadData(PGconn *conn)
572572
*/
573573
if (conn->inBufSize-conn->inEnd<8192)
574574
{
575-
if (pqCheckInBufferSpace(conn->inEnd+8192,conn))
575+
if (pqCheckInBufferSpace(conn->inEnd+(size_t)8192,conn))
576576
{
577577
/*
578578
* We don't insist that the enlarge worked, but we need some room

‎src/interfaces/libpq/fe-protocol3.c

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-protocol3.c,v 1.34 2008/01/17 21:21:50 tgl Exp $
11+
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-protocol3.c,v 1.35 2008/05/29 22:02:44 tgl Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -115,7 +115,8 @@ pqParseInput3(PGconn *conn)
115115
* recovery strategy if we are unable to make the buffer big
116116
* enough.
117117
*/
118-
if (pqCheckInBufferSpace(conn->inCursor+msgLength,conn))
118+
if (pqCheckInBufferSpace(conn->inCursor+ (size_t)msgLength,
119+
conn))
119120
{
120121
/*
121122
* XXX add some better recovery code... plan is to skip over
@@ -1310,7 +1311,8 @@ getCopyDataMessage(PGconn *conn)
13101311
* Before returning, enlarge the input buffer if needed to hold
13111312
* the whole message. See notes in parseInput.
13121313
*/
1313-
if (pqCheckInBufferSpace(conn->inCursor+msgLength-4,conn))
1314+
if (pqCheckInBufferSpace(conn->inCursor+ (size_t)msgLength-4,
1315+
conn))
13141316
{
13151317
/*
13161318
* XXX add some better recovery code... plan is to skip over
@@ -1745,7 +1747,8 @@ pqFunctionCall3(PGconn *conn, Oid fnid,
17451747
* Before looping, enlarge the input buffer if needed to hold the
17461748
* whole message. See notes in parseInput.
17471749
*/
1748-
if (pqCheckInBufferSpace(conn->inCursor+msgLength,conn))
1750+
if (pqCheckInBufferSpace(conn->inCursor+ (size_t)msgLength,
1751+
conn))
17491752
{
17501753
/*
17511754
* XXX add some better recovery code... plan is to skip over

‎src/interfaces/libpq/libpq-int.h

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
* Portions Copyright (c) 1996-2008, PostgreSQL Global Development Group
1313
* Portions Copyright (c) 1994, Regents of the University of California
1414
*
15-
* $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.130 2008/05/16 18:30:53 mha Exp $
15+
* $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.131 2008/05/29 22:02:44 tgl Exp $
1616
*
1717
*-------------------------------------------------------------------------
1818
*/
@@ -511,8 +511,8 @@ extern PGresult *pqFunctionCall3(PGconn *conn, Oid fnid,
511511
* Get, EOF merely means the buffer is exhausted, not that there is
512512
* necessarily any error.
513513
*/
514-
externintpqCheckOutBufferSpace(intbytes_needed,PGconn*conn);
515-
externintpqCheckInBufferSpace(intbytes_needed,PGconn*conn);
514+
externintpqCheckOutBufferSpace(size_tbytes_needed,PGconn*conn);
515+
externintpqCheckInBufferSpace(size_tbytes_needed,PGconn*conn);
516516
externintpqGetc(char*result,PGconn*conn);
517517
externintpqPutc(charc,PGconn*conn);
518518
externintpqGets(PQExpBufferbuf,PGconn*conn);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp