Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit08fa47c

Browse files
committed
Prevent stack overflow in json-related functions.
Sufficiently-deep recursion heretofore elicited a SIGSEGV. If anapplication constructs PostgreSQL json or jsonb values from arbitraryuser input, application users could have exploited this to terminate allactive database connections. That applies to 9.3, where the json parseradopted recursive descent, and later versions. Only row_to_json() andarray_to_json() were at risk in 9.2, both in a non-security capacity.Back-patch to 9.2, where the json type was introduced.Oskari Saarenmaa, reviewed by Michael Paquier.Security:CVE-2015-5289
1 parent1d812c8 commit08fa47c

File tree

9 files changed

+58
-0
lines changed

9 files changed

+58
-0
lines changed

‎src/backend/utils/adt/json.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -490,6 +490,8 @@ parse_object(JsonLexContext *lex, JsonSemAction *sem)
490490
json_struct_actionoend=sem->object_end;
491491
JsonTokenTypetok;
492492

493+
check_stack_depth();
494+
493495
if (ostart!=NULL)
494496
(*ostart) (sem->semstate);
495497

@@ -568,6 +570,8 @@ parse_array(JsonLexContext *lex, JsonSemAction *sem)
568570
json_struct_actionastart=sem->array_start;
569571
json_struct_actionaend=sem->array_end;
570572

573+
check_stack_depth();
574+
571575
if (astart!=NULL)
572576
(*astart) (sem->semstate);
573577

@@ -1433,6 +1437,8 @@ datum_to_json(Datum val, bool is_null, StringInfo result,
14331437
char*outputstr;
14341438
text*jsontext;
14351439

1440+
check_stack_depth();
1441+
14361442
/* callers are expected to ensure that null keys are not passed in */
14371443
Assert(!(key_scalar&&is_null));
14381444

‎src/backend/utils/adt/jsonb.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -712,6 +712,8 @@ datum_to_jsonb(Datum val, bool is_null, JsonbInState *result,
712712
JsonbValuejb;
713713
boolscalar_jsonb= false;
714714

715+
check_stack_depth();
716+
715717
if (is_null)
716718
{
717719
Assert(!key_scalar);

‎src/backend/utils/adt/jsonfuncs.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3724,6 +3724,8 @@ setPath(JsonbIterator **it, Datum *path_elems,
37243724
JsonbValue*res=NULL;
37253725
intr;
37263726

3727+
check_stack_depth();
3728+
37273729
if (path_nulls[level])
37283730
elog(ERROR,"path element at the position %d is NULL",level+1);
37293731

‎src/test/regress/expected/json.out

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,15 @@ LINE 1: SELECT '{"abc":1,3}'::json;
231231
^
232232
DETAIL: Expected string, but found "3".
233233
CONTEXT: JSON data, line 1: {"abc":1,3...
234+
-- Recursion.
235+
SET max_stack_depth = '100kB';
236+
SELECT repeat('[', 1000)::json;
237+
ERROR: stack depth limit exceeded
238+
HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.
239+
SELECT repeat('{"a":', 1000)::json;
240+
ERROR: stack depth limit exceeded
241+
HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.
242+
RESET max_stack_depth;
234243
-- Miscellaneous stuff.
235244
SELECT 'true'::json;-- OK
236245
json

‎src/test/regress/expected/json_1.out

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,15 @@ LINE 1: SELECT '{"abc":1,3}'::json;
231231
^
232232
DETAIL: Expected string, but found "3".
233233
CONTEXT: JSON data, line 1: {"abc":1,3...
234+
-- Recursion.
235+
SET max_stack_depth = '100kB';
236+
SELECT repeat('[', 1000)::json;
237+
ERROR: stack depth limit exceeded
238+
HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.
239+
SELECT repeat('{"a":', 1000)::json;
240+
ERROR: stack depth limit exceeded
241+
HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.
242+
RESET max_stack_depth;
234243
-- Miscellaneous stuff.
235244
SELECT 'true'::json;-- OK
236245
json

‎src/test/regress/expected/jsonb.out

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -239,6 +239,15 @@ LINE 1: SELECT '{"abc":1,3}'::jsonb;
239239
^
240240
DETAIL: Expected string, but found "3".
241241
CONTEXT: JSON data, line 1: {"abc":1,3...
242+
-- Recursion.
243+
SET max_stack_depth = '100kB';
244+
SELECT repeat('[', 1000)::jsonb;
245+
ERROR: stack depth limit exceeded
246+
HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.
247+
SELECT repeat('{"a":', 1000)::jsonb;
248+
ERROR: stack depth limit exceeded
249+
HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.
250+
RESET max_stack_depth;
242251
-- Miscellaneous stuff.
243252
SELECT 'true'::jsonb;-- OK
244253
jsonb

‎src/test/regress/expected/jsonb_1.out

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -239,6 +239,15 @@ LINE 1: SELECT '{"abc":1,3}'::jsonb;
239239
^
240240
DETAIL: Expected string, but found "3".
241241
CONTEXT: JSON data, line 1: {"abc":1,3...
242+
-- Recursion.
243+
SET max_stack_depth = '100kB';
244+
SELECT repeat('[', 1000)::jsonb;
245+
ERROR: stack depth limit exceeded
246+
HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.
247+
SELECT repeat('{"a":', 1000)::jsonb;
248+
ERROR: stack depth limit exceeded
249+
HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.
250+
RESET max_stack_depth;
242251
-- Miscellaneous stuff.
243252
SELECT 'true'::jsonb;-- OK
244253
jsonb

‎src/test/regress/sql/json.sql

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,12 @@ SELECT '{"abc":1,"def":2,"ghi":[3,4],"hij":{"klm":5,"nop":[6]}}'::json; -- OK
4545
SELECT'{"abc":1:2}'::json;-- ERROR, colon in wrong spot
4646
SELECT'{"abc":1,3}'::json;-- ERROR, no value
4747

48+
-- Recursion.
49+
SET max_stack_depth='100kB';
50+
SELECT repeat('[',1000)::json;
51+
SELECT repeat('{"a":',1000)::json;
52+
RESET max_stack_depth;
53+
4854
-- Miscellaneous stuff.
4955
SELECT'true'::json;-- OK
5056
SELECT'false'::json;-- OK

‎src/test/regress/sql/jsonb.sql

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,12 @@ SELECT '{"abc":1,"def":2,"ghi":[3,4],"hij":{"klm":5,"nop":[6]}}'::jsonb; -- OK
4848
SELECT'{"abc":1:2}'::jsonb;-- ERROR, colon in wrong spot
4949
SELECT'{"abc":1,3}'::jsonb;-- ERROR, no value
5050

51+
-- Recursion.
52+
SET max_stack_depth='100kB';
53+
SELECT repeat('[',1000)::jsonb;
54+
SELECT repeat('{"a":',1000)::jsonb;
55+
RESET max_stack_depth;
56+
5157
-- Miscellaneous stuff.
5258
SELECT'true'::jsonb;-- OK
5359
SELECT'false'::jsonb;-- OK

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp