Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit0a18be7

Browse files
committed
Merge branch 'REL9_5_STABLE' into PGPRO9_5
Merged fix forCVE-2016-0773
2 parents4b04d80 +129b6cf commit0a18be7

File tree

11 files changed

+156
-18
lines changed

11 files changed

+156
-18
lines changed

‎doc/src/sgml/release-9.1.sgml‎

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,19 @@
3434

3535
<itemizedlist>
3636

37+
<listitem>
38+
<para>
39+
Fix infinite loops and buffer-overrun problems in regular expressions
40+
(Tom Lane)
41+
</para>
42+
43+
<para>
44+
Very large character ranges in bracket expressions could cause
45+
infinite loops in some cases, and memory overwrites in other cases.
46+
(CVE-2016-0773)
47+
</para>
48+
</listitem>
49+
3750
<listitem>
3851
<para>
3952
Perform an immediate shutdown if the <filename>postmaster.pid</> file

‎doc/src/sgml/release-9.2.sgml‎

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,19 @@
3434

3535
<itemizedlist>
3636

37+
<listitem>
38+
<para>
39+
Fix infinite loops and buffer-overrun problems in regular expressions
40+
(Tom Lane)
41+
</para>
42+
43+
<para>
44+
Very large character ranges in bracket expressions could cause
45+
infinite loops in some cases, and memory overwrites in other cases.
46+
(CVE-2016-0773)
47+
</para>
48+
</listitem>
49+
3750
<listitem>
3851
<para>
3952
Perform an immediate shutdown if the <filename>postmaster.pid</> file

‎doc/src/sgml/release-9.3.sgml‎

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,19 @@
3434

3535
<itemizedlist>
3636

37+
<listitem>
38+
<para>
39+
Fix infinite loops and buffer-overrun problems in regular expressions
40+
(Tom Lane)
41+
</para>
42+
43+
<para>
44+
Very large character ranges in bracket expressions could cause
45+
infinite loops in some cases, and memory overwrites in other cases.
46+
(CVE-2016-0773)
47+
</para>
48+
</listitem>
49+
3750
<listitem>
3851
<para>
3952
Perform an immediate shutdown if the <filename>postmaster.pid</> file

‎doc/src/sgml/release-9.4.sgml‎

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,19 @@ Branch: REL9_4_STABLE [788e35ac0] 2015-11-05 18:15:48 -0500
6565
</para>
6666
</listitem>
6767

68+
<listitem>
69+
<para>
70+
Fix infinite loops and buffer-overrun problems in regular expressions
71+
(Tom Lane)
72+
</para>
73+
74+
<para>
75+
Very large character ranges in bracket expressions could cause
76+
infinite loops in some cases, and memory overwrites in other cases.
77+
(CVE-2016-0773)
78+
</para>
79+
</listitem>
80+
6881
<!--
6982
Author: Tom Lane <tgl@sss.pgh.pa.us>
7083
Branch: master [7e2a18a91] 2015-10-06 17:15:52 -0400

‎doc/src/sgml/release-9.5.sgml‎

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,29 @@
2828

2929
<itemizedlist>
3030

31+
<!--
32+
Author: Tom Lane <tgl@sss.pgh.pa.us>
33+
Branch: master [3bb3f42f3] 2016-02-08 10:25:40 -0500
34+
Branch: REL9_5_STABLE [a61de2bc1] 2016-02-08 10:25:40 -0500
35+
Branch: REL9_4_STABLE [fdc3139e2] 2016-02-08 10:25:40 -0500
36+
Branch: REL9_3_STABLE [6403a6b74] 2016-02-08 10:25:40 -0500
37+
Branch: REL9_2_STABLE [e93516cf7] 2016-02-08 10:25:40 -0500
38+
Branch: REL9_1_STABLE [98d6b7305] 2016-02-08 10:25:40 -0500
39+
-->
40+
41+
<listitem>
42+
<para>
43+
Fix infinite loops and buffer-overrun problems in regular expressions
44+
(Tom Lane)
45+
</para>
46+
47+
<para>
48+
Very large character ranges in bracket expressions could cause
49+
infinite loops in some cases, and memory overwrites in other cases.
50+
(CVE-2016-0773)
51+
</para>
52+
</listitem>
53+
3154
<!--
3255
Author: Tom Lane <tgl@sss.pgh.pa.us>
3356
Branch: master [f867ce551] 2016-02-07 12:29:32 -0500
@@ -41,6 +64,32 @@ Branch: REL9_5_STABLE [129db3cbe] 2016-02-07 12:29:17 -0500
4164
</para>
4265
</listitem>
4366

67+
<!--
68+
Author: Andres Freund <andres@anarazel.de>
69+
Branch: master [a6897efab] 2016-02-08 11:03:31 +0100
70+
Branch: REL9_5_STABLE [87dbc72a7] 2016-02-08 11:03:37 +0100
71+
-->
72+
73+
<listitem>
74+
<para>
75+
Avoid pushdown of <literal>HAVING</> clauses when grouping sets are
76+
used (Andrew Gierth)
77+
</para>
78+
</listitem>
79+
80+
<!--
81+
Author: Tom Lane <tgl@sss.pgh.pa.us>
82+
Branch: master [cc2ca9319] 2016-02-07 14:57:24 -0500
83+
Branch: REL9_5_STABLE [82406d6ff] 2016-02-07 14:57:24 -0500
84+
-->
85+
86+
<listitem>
87+
<para>
88+
Fix deparsing of <literal>ON CONFLICT</> arbiter <literal>WHERE</>
89+
clauses (Peter Geoghegan)
90+
</para>
91+
</listitem>
92+
4493
<!--
4594
Author: Tom Lane <tgl@sss.pgh.pa.us>
4695
Branch: master [b8682a715] 2016-01-26 15:38:33 -0500
@@ -272,6 +321,8 @@ Branch: REL9_5_STABLE [40482e606] 2016-02-01 13:20:37 +0100
272321
Branch: REL9_3_STABLE [0b55fef39] 2016-02-01 13:19:10 +0100
273322
Branch: REL9_2_STABLE [d9ce5d201] 2016-02-01 13:19:34 +0100
274323
Branch: REL9_1_STABLE [79782b407] 2016-02-01 13:19:43 +0100
324+
Author: Andres Freund <andres@anarazel.de>
325+
Branch: REL9_4_STABLE [33b26426e] 2016-02-08 11:10:14 +0100
275326
-->
276327

277328
<listitem>

‎src/backend/regex/regc_lex.c‎

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -792,13 +792,13 @@ lexescape(struct vars * v)
792792
break;
793793
caseCHR('u'):
794794
c=lexdigits(v,16,4,4);
795-
if (ISERR())
795+
if (ISERR()||c<CHR_MIN||c>CHR_MAX)
796796
FAILW(REG_EESCAPE);
797797
RETV(PLAIN,c);
798798
break;
799799
caseCHR('U'):
800800
c=lexdigits(v,16,8,8);
801-
if (ISERR())
801+
if (ISERR()||c<CHR_MIN||c>CHR_MAX)
802802
FAILW(REG_EESCAPE);
803803
RETV(PLAIN,c);
804804
break;
@@ -816,7 +816,7 @@ lexescape(struct vars * v)
816816
caseCHR('x'):
817817
NOTE(REG_UUNPORT);
818818
c=lexdigits(v,16,1,255);/* REs >255 long outside spec */
819-
if (ISERR())
819+
if (ISERR()||c<CHR_MIN||c>CHR_MAX)
820820
FAILW(REG_EESCAPE);
821821
RETV(PLAIN,c);
822822
break;
@@ -872,6 +872,9 @@ lexescape(struct vars * v)
872872

873873
/*
874874
* lexdigits - slurp up digits and return chr value
875+
*
876+
* This does not account for overflow; callers should range-check the result
877+
* if maxlen is large enough to make that possible.
875878
*/
876879
staticchr/* chr value; errors signalled via ERR */
877880
lexdigits(structvars*v,

‎src/backend/regex/regc_locale.c‎

Lines changed: 40 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -408,8 +408,7 @@ range(struct vars * v,/* context */
408408
intnchrs;
409409
structcvec*cv;
410410
celtc,
411-
lc,
412-
uc;
411+
cc;
413412

414413
if (a!=b&& !before(a,b))
415414
{
@@ -427,24 +426,51 @@ range(struct vars * v,/* context */
427426

428427
/*
429428
* When case-independent, it's hard to decide when cvec ranges are usable,
430-
* so for now at least, we won't try. We allocate enough space for two
431-
* case variants plus a little extra for the two title case variants.
429+
* so for now at least, we won't try. We use a range for the originally
430+
* specified chrs and then add on any case-equivalents that are outside
431+
* that range as individual chrs.
432+
*
433+
* To ensure sane behavior if someone specifies a very large range, limit
434+
* the allocation size to 100000 chrs (arbitrary) and check for overrun
435+
* inside the loop below.
432436
*/
437+
nchrs=b-a+1;
438+
if (nchrs <=0||nchrs>100000)
439+
nchrs=100000;
433440

434-
nchrs= (b-a+1)*2+4;
435-
436-
cv=getcvec(v,nchrs,0);
441+
cv=getcvec(v,nchrs,1);
437442
NOERRN();
443+
addrange(cv,a,b);
438444

439445
for (c=a;c <=b;c++)
440446
{
441-
addchr(cv,c);
442-
lc=pg_wc_tolower((chr)c);
443-
if (c!=lc)
444-
addchr(cv,lc);
445-
uc=pg_wc_toupper((chr)c);
446-
if (c!=uc)
447-
addchr(cv,uc);
447+
cc=pg_wc_tolower((chr)c);
448+
if (cc!=c&&
449+
(before(cc,a)||before(b,cc)))
450+
{
451+
if (cv->nchrs >=cv->chrspace)
452+
{
453+
ERR(REG_ETOOBIG);
454+
returnNULL;
455+
}
456+
addchr(cv,cc);
457+
}
458+
cc=pg_wc_toupper((chr)c);
459+
if (cc!=c&&
460+
(before(cc,a)||before(b,cc)))
461+
{
462+
if (cv->nchrs >=cv->chrspace)
463+
{
464+
ERR(REG_ETOOBIG);
465+
returnNULL;
466+
}
467+
addchr(cv,cc);
468+
}
469+
if (CANCEL_REQUESTED(v->re))
470+
{
471+
ERR(REG_CANCEL);
472+
returnNULL;
473+
}
448474
}
449475

450476
returncv;

‎src/backend/regex/regcomp.c‎

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1586,6 +1586,7 @@ dovec(struct vars * v,
15861586
{
15871587
ch=*p;
15881588
newarc(v->nfa,PLAIN,subcolor(v->cm,ch),lp,rp);
1589+
NOERR();
15891590
}
15901591

15911592
/* and the ranges */
@@ -1595,6 +1596,7 @@ dovec(struct vars * v,
15951596
to=*(p+1);
15961597
if (from <=to)
15971598
subrange(v,from,to,lp,rp);
1599+
NOERR();
15981600
}
15991601
}
16001602

‎src/include/regex/regcustom.h‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,8 @@ typedef int celt;/* type to hold chr, or NOCELT */
6565
#defineDIGITVAL(c) ((c)-'0')/* turn chr digit into its value */
6666
#defineCHRBITS 32/* bits in a chr; must not use sizeof */
6767
#defineCHR_MIN 0x00000000/* smallest and largest chr; the value */
68-
#defineCHR_MAX 0xfffffffe/* CHR_MAX-CHR_MIN+1 should fit in uchr */
68+
#defineCHR_MAX 0x7ffffffe/* CHR_MAX-CHR_MIN+1 must fit in an int, and
69+
* CHR_MAX+1 must fit in both chr and celt */
6970

7071
/* functions operating on chr */
7172
#defineiscalnum(x) pg_wc_isalnum(x)

‎src/test/regress/expected/regex.out‎

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -326,3 +326,5 @@ select 'xyz' ~ 'x(\w)(?=\1)'; -- no backrefs in LACONs
326326
ERROR: invalid regular expression: invalid backreference number
327327
select 'xyz' ~ 'x(\w)(?=(\1))';
328328
ERROR: invalid regular expression: invalid backreference number
329+
select 'a' ~ '\x7fffffff'; -- invalid chr code
330+
ERROR: invalid regular expression: invalid escape \ sequence

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp