NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commit0a18be7

committed

Merge branch 'REL9_5_STABLE' into PGPRO9_5

Merged fix forCVE-2016-0773

2 parents4b04d80 +129b6cf commit0a18be7Copy full SHA for 0a18be7

File tree

11 files changed

+156

-18

lines changed

doc/src/sgml
src
- backend/regex
- include/regex
  - regcustom.h
- test/regress
  - expected
    - regex.out
  - sql
    - regex.sql

11 files changed

+156

-18

lines changed

`‎doc/src/sgml/release-9.1.sgml`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,19 @@`
`34`	`34`
`35`	`35`	`<itemizedlist>`
`36`	`36`
	`37`	`+ <listitem>`
	`38`	`+ <para>`
	`39`	`+ Fix infinite loops and buffer-overrun problems in regular expressions`
	`40`	`+ (Tom Lane)`
	`41`	`+ </para>`
	`42`	`+`
	`43`	`+ <para>`
	`44`	`+ Very large character ranges in bracket expressions could cause`
	`45`	`+ infinite loops in some cases, and memory overwrites in other cases.`
	`46`	`+ (CVE-2016-0773)`
	`47`	`+ </para>`
	`48`	`+ </listitem>`
	`49`	`+`
`37`	`50`	`<listitem>`
`38`	`51`	`<para>`
`39`	`52`	`Perform an immediate shutdown if the <filename>postmaster.pid</> file`

`‎doc/src/sgml/release-9.2.sgml`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,19 @@`
`34`	`34`
`35`	`35`	`<itemizedlist>`
`36`	`36`
	`37`	`+ <listitem>`
	`38`	`+ <para>`
	`39`	`+ Fix infinite loops and buffer-overrun problems in regular expressions`
	`40`	`+ (Tom Lane)`
	`41`	`+ </para>`
	`42`	`+`
	`43`	`+ <para>`
	`44`	`+ Very large character ranges in bracket expressions could cause`
	`45`	`+ infinite loops in some cases, and memory overwrites in other cases.`
	`46`	`+ (CVE-2016-0773)`
	`47`	`+ </para>`
	`48`	`+ </listitem>`
	`49`	`+`
`37`	`50`	`<listitem>`
`38`	`51`	`<para>`
`39`	`52`	`Perform an immediate shutdown if the <filename>postmaster.pid</> file`

`‎doc/src/sgml/release-9.3.sgml`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,19 @@`
`34`	`34`
`35`	`35`	`<itemizedlist>`
`36`	`36`
	`37`	`+ <listitem>`
	`38`	`+ <para>`
	`39`	`+ Fix infinite loops and buffer-overrun problems in regular expressions`
	`40`	`+ (Tom Lane)`
	`41`	`+ </para>`
	`42`	`+`
	`43`	`+ <para>`
	`44`	`+ Very large character ranges in bracket expressions could cause`
	`45`	`+ infinite loops in some cases, and memory overwrites in other cases.`
	`46`	`+ (CVE-2016-0773)`
	`47`	`+ </para>`
	`48`	`+ </listitem>`
	`49`	`+`
`37`	`50`	`<listitem>`
`38`	`51`	`<para>`
`39`	`52`	`Perform an immediate shutdown if the <filename>postmaster.pid</> file`

`‎doc/src/sgml/release-9.4.sgml`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,19 @@ Branch: REL9_4_STABLE [788e35ac0] 2015-11-05 18:15:48 -0500`
`65`	`65`	`</para>`
`66`	`66`	`</listitem>`
`67`	`67`
	`68`	`+ <listitem>`
	`69`	`+ <para>`
	`70`	`+ Fix infinite loops and buffer-overrun problems in regular expressions`
	`71`	`+ (Tom Lane)`
	`72`	`+ </para>`
	`73`	`+`
	`74`	`+ <para>`
	`75`	`+ Very large character ranges in bracket expressions could cause`
	`76`	`+ infinite loops in some cases, and memory overwrites in other cases.`
	`77`	`+ (CVE-2016-0773)`
	`78`	`+ </para>`
	`79`	`+ </listitem>`
	`80`	`+`
`68`	`81`	`<!--`
`69`	`82`	`Author: Tom Lane <tgl@sss.pgh.pa.us>`
`70`	`83`	`Branch: master [7e2a18a91] 2015-10-06 17:15:52 -0400`

`‎doc/src/sgml/release-9.5.sgml`

Lines changed: 51 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,29 @@`
`28`	`28`
`29`	`29`	`<itemizedlist>`
`30`	`30`
	`31`	`+<!--`
	`32`	`+Author: Tom Lane <tgl@sss.pgh.pa.us>`
	`33`	`+Branch: master [3bb3f42f3] 2016-02-08 10:25:40 -0500`
	`34`	`+Branch: REL9_5_STABLE [a61de2bc1] 2016-02-08 10:25:40 -0500`
	`35`	`+Branch: REL9_4_STABLE [fdc3139e2] 2016-02-08 10:25:40 -0500`
	`36`	`+Branch: REL9_3_STABLE [6403a6b74] 2016-02-08 10:25:40 -0500`
	`37`	`+Branch: REL9_2_STABLE [e93516cf7] 2016-02-08 10:25:40 -0500`
	`38`	`+Branch: REL9_1_STABLE [98d6b7305] 2016-02-08 10:25:40 -0500`
	`39`	`+-->`
	`40`	`+`
	`41`	`+ <listitem>`
	`42`	`+ <para>`
	`43`	`+ Fix infinite loops and buffer-overrun problems in regular expressions`
	`44`	`+ (Tom Lane)`
	`45`	`+ </para>`
	`46`	`+`
	`47`	`+ <para>`
	`48`	`+ Very large character ranges in bracket expressions could cause`
	`49`	`+ infinite loops in some cases, and memory overwrites in other cases.`
	`50`	`+ (CVE-2016-0773)`
	`51`	`+ </para>`
	`52`	`+ </listitem>`
	`53`	`+`
`31`	`54`	`<!--`
`32`	`55`	`Author: Tom Lane <tgl@sss.pgh.pa.us>`
`33`	`56`	`Branch: master [f867ce551] 2016-02-07 12:29:32 -0500`
`@@ -41,6 +64,32 @@ Branch: REL9_5_STABLE [129db3cbe] 2016-02-07 12:29:17 -0500`
`41`	`64`	`</para>`
`42`	`65`	`</listitem>`
`43`	`66`
	`67`	`+<!--`
	`68`	`+Author: Andres Freund <andres@anarazel.de>`
	`69`	`+Branch: master [a6897efab] 2016-02-08 11:03:31 +0100`
	`70`	`+Branch: REL9_5_STABLE [87dbc72a7] 2016-02-08 11:03:37 +0100`
	`71`	`+-->`
	`72`	`+`
	`73`	`+ <listitem>`
	`74`	`+ <para>`
	`75`	`+ Avoid pushdown of <literal>HAVING</> clauses when grouping sets are`
	`76`	`+ used (Andrew Gierth)`
	`77`	`+ </para>`
	`78`	`+ </listitem>`
	`79`	`+`
	`80`	`+<!--`
	`81`	`+Author: Tom Lane <tgl@sss.pgh.pa.us>`
	`82`	`+Branch: master [cc2ca9319] 2016-02-07 14:57:24 -0500`
	`83`	`+Branch: REL9_5_STABLE [82406d6ff] 2016-02-07 14:57:24 -0500`
	`84`	`+-->`
	`85`	`+`
	`86`	`+ <listitem>`
	`87`	`+ <para>`
	`88`	`+ Fix deparsing of <literal>ON CONFLICT</> arbiter <literal>WHERE</>`
	`89`	`+ clauses (Peter Geoghegan)`
	`90`	`+ </para>`
	`91`	`+ </listitem>`
	`92`	`+`
`44`	`93`	`<!--`
`45`	`94`	`Author: Tom Lane <tgl@sss.pgh.pa.us>`
`46`	`95`	`Branch: master [b8682a715] 2016-01-26 15:38:33 -0500`
`@@ -272,6 +321,8 @@ Branch: REL9_5_STABLE [40482e606] 2016-02-01 13:20:37 +0100`
`272`	`321`	`Branch: REL9_3_STABLE [0b55fef39] 2016-02-01 13:19:10 +0100`
`273`	`322`	`Branch: REL9_2_STABLE [d9ce5d201] 2016-02-01 13:19:34 +0100`
`274`	`323`	`Branch: REL9_1_STABLE [79782b407] 2016-02-01 13:19:43 +0100`
	`324`	`+Author: Andres Freund <andres@anarazel.de>`
	`325`	`+Branch: REL9_4_STABLE [33b26426e] 2016-02-08 11:10:14 +0100`
`275`	`326`	`-->`
`276`	`327`
`277`	`328`	`<listitem>`

`‎src/backend/regex/regc_lex.c`

Lines changed: 6 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -792,13 +792,13 @@ lexescape(struct vars * v)`
`792`	`792`	`break;`
`793`	`793`	`caseCHR('u'):`
`794`	`794`	`c=lexdigits(v,16,4,4);`
`795`		`-if (ISERR())`
	`795`	`+if (ISERR()\|\|c<CHR_MIN\|\|c>CHR_MAX)`
`796`	`796`	`FAILW(REG_EESCAPE);`
`797`	`797`	`RETV(PLAIN,c);`
`798`	`798`	`break;`
`799`	`799`	`caseCHR('U'):`
`800`	`800`	`c=lexdigits(v,16,8,8);`
`801`		`-if (ISERR())`
	`801`	`+if (ISERR()\|\|c<CHR_MIN\|\|c>CHR_MAX)`
`802`	`802`	`FAILW(REG_EESCAPE);`
`803`	`803`	`RETV(PLAIN,c);`
`804`	`804`	`break;`
`@@ -816,7 +816,7 @@ lexescape(struct vars * v)`
`816`	`816`	`caseCHR('x'):`
`817`	`817`	`NOTE(REG_UUNPORT);`
`818`	`818`	`c=lexdigits(v,16,1,255);/* REs >255 long outside spec */`
`819`		`-if (ISERR())`
	`819`	`+if (ISERR()\|\|c<CHR_MIN\|\|c>CHR_MAX)`
`820`	`820`	`FAILW(REG_EESCAPE);`
`821`	`821`	`RETV(PLAIN,c);`
`822`	`822`	`break;`
`@@ -872,6 +872,9 @@ lexescape(struct vars * v)`
`872`	`872`
`873`	`873`	`/*`
`874`	`874`	`* lexdigits - slurp up digits and return chr value`
	`875`	`+ *`
	`876`	`+ * This does not account for overflow; callers should range-check the result`
	`877`	`+ * if maxlen is large enough to make that possible.`
`875`	`878`	`*/`
`876`	`879`	`staticchr/* chr value; errors signalled via ERR */`
`877`	`880`	`lexdigits(structvars*v,`

`‎src/backend/regex/regc_locale.c`

Lines changed: 40 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -408,8 +408,7 @@ range(struct vars * v,/* context */`
`408`	`408`	`intnchrs;`
`409`	`409`	`structcvec*cv;`
`410`	`410`	`celtc,`
`411`		`-lc,`
`412`		`-uc;`
	`411`	`+cc;`
`413`	`412`
`414`	`413`	`if (a!=b&& !before(a,b))`
`415`	`414`	`{`
`@@ -427,24 +426,51 @@ range(struct vars * v,/* context */`
`427`	`426`
`428`	`427`	`/*`
`429`	`428`	`* When case-independent, it's hard to decide when cvec ranges are usable,`
`430`		`- * so for now at least, we won't try. We allocate enough space for two`
`431`		`- * case variants plus a little extra for the two title case variants.`
	`429`	`+ * so for now at least, we won't try. We use a range for the originally`
	`430`	`+ * specified chrs and then add on any case-equivalents that are outside`
	`431`	`+ * that range as individual chrs.`
	`432`	`+ *`
	`433`	`+ * To ensure sane behavior if someone specifies a very large range, limit`
	`434`	`+ * the allocation size to 100000 chrs (arbitrary) and check for overrun`
	`435`	`+ * inside the loop below.`
`432`	`436`	`*/`
	`437`	`+nchrs=b-a+1;`
	`438`	`+if (nchrs <=0\|\|nchrs>100000)`
	`439`	`+nchrs=100000;`
`433`	`440`
`434`		`-nchrs= (b-a+1)*2+4;`
`435`		`-`
`436`		`-cv=getcvec(v,nchrs,0);`
	`441`	`+cv=getcvec(v,nchrs,1);`
`437`	`442`	`NOERRN();`
	`443`	`+addrange(cv,a,b);`
`438`	`444`
`439`	`445`	`for (c=a;c <=b;c++)`
`440`	`446`	`{`
`441`		`-addchr(cv,c);`
`442`		`-lc=pg_wc_tolower((chr)c);`
`443`		`-if (c!=lc)`
`444`		`-addchr(cv,lc);`
`445`		`-uc=pg_wc_toupper((chr)c);`
`446`		`-if (c!=uc)`
`447`		`-addchr(cv,uc);`
	`447`	`+cc=pg_wc_tolower((chr)c);`
	`448`	`+if (cc!=c&&`
	`449`	`+(before(cc,a)\|\|before(b,cc)))`
	`450`	`+{`
	`451`	`+if (cv->nchrs >=cv->chrspace)`
	`452`	`+{`
	`453`	`+ERR(REG_ETOOBIG);`
	`454`	`+returnNULL;`
	`455`	`+}`
	`456`	`+addchr(cv,cc);`
	`457`	`+}`
	`458`	`+cc=pg_wc_toupper((chr)c);`
	`459`	`+if (cc!=c&&`
	`460`	`+(before(cc,a)\|\|before(b,cc)))`
	`461`	`+{`
	`462`	`+if (cv->nchrs >=cv->chrspace)`
	`463`	`+{`
	`464`	`+ERR(REG_ETOOBIG);`
	`465`	`+returnNULL;`
	`466`	`+}`
	`467`	`+addchr(cv,cc);`
	`468`	`+}`
	`469`	`+if (CANCEL_REQUESTED(v->re))`
	`470`	`+{`
	`471`	`+ERR(REG_CANCEL);`
	`472`	`+returnNULL;`
	`473`	`+}`
`448`	`474`	`}`
`449`	`475`
`450`	`476`	`returncv;`

`‎src/backend/regex/regcomp.c`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1586,6 +1586,7 @@ dovec(struct vars * v,`
`1586`	`1586`	`{`
`1587`	`1587`	`ch=*p;`
`1588`	`1588`	`newarc(v->nfa,PLAIN,subcolor(v->cm,ch),lp,rp);`
	`1589`	`+NOERR();`
`1589`	`1590`	`}`
`1590`	`1591`
`1591`	`1592`	`/* and the ranges */`
`@@ -1595,6 +1596,7 @@ dovec(struct vars * v,`
`1595`	`1596`	`to=*(p+1);`
`1596`	`1597`	`if (from <=to)`
`1597`	`1598`	`subrange(v,from,to,lp,rp);`
	`1599`	`+NOERR();`
`1598`	`1600`	`}`
`1599`	`1601`	`}`
`1600`	`1602`

`‎src/include/regex/regcustom.h`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,8 @@ typedef int celt;/* type to hold chr, or NOCELT */`
`65`	`65`	`#defineDIGITVAL(c) ((c)-'0')/* turn chr digit into its value */`
`66`	`66`	`#defineCHRBITS 32/* bits in a chr; must not use sizeof */`
`67`	`67`	`#defineCHR_MIN 0x00000000/* smallest and largest chr; the value */`
`68`		`-#defineCHR_MAX 0xfffffffe/* CHR_MAX-CHR_MIN+1 should fit in uchr */`
	`68`	`+#defineCHR_MAX 0x7ffffffe/* CHR_MAX-CHR_MIN+1 must fit in an int, and`
	`69`	`+ * CHR_MAX+1 must fit in both chr and celt */`
`69`	`70`
`70`	`71`	`/* functions operating on chr */`
`71`	`72`	`#defineiscalnum(x) pg_wc_isalnum(x)`

`‎src/test/regress/expected/regex.out`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -326,3 +326,5 @@ select 'xyz' ~ 'x(\w)(?=\1)'; -- no backrefs in LACONs`
`326`	`326`	`ERROR: invalid regular expression: invalid backreference number`
`327`	`327`	`select 'xyz' ~ 'x(\w)(?=(\1))';`
`328`	`328`	`ERROR: invalid regular expression: invalid backreference number`
	`329`	`+select 'a' ~ '\x7fffffff'; -- invalid chr code`
	`330`	`+ERROR: invalid regular expression: invalid escape \ sequence`

`‎src/test/regress/sql/regex.sql`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -86,3 +86,4 @@ select 'a' ~ '()+\1';`
`86`	`86`	`-- Error conditions`
`87`	`87`	`select'xyz' ~'x(\w)(?=\1)';-- no backrefs in LACONs`
`88`	`88`	`select'xyz' ~'x(\w)(?=(\1))';`
	`89`	`+select'a' ~'\x7fffffff';-- invalid chr code`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0a18be7

File tree

11 files changed

11 files changed

`‎doc/src/sgml/release-9.1.sgml`

`‎doc/src/sgml/release-9.2.sgml`

`‎doc/src/sgml/release-9.3.sgml`

`‎doc/src/sgml/release-9.4.sgml`

`‎doc/src/sgml/release-9.5.sgml`

`‎src/backend/regex/regc_lex.c`

`‎src/backend/regex/regc_locale.c`

`‎src/backend/regex/regcomp.c`

`‎src/include/regex/regcustom.h`

`‎src/test/regress/expected/regex.out`

`‎src/test/regress/sql/regex.sql`

0 commit comments