granicus.if.org Git - postgresql/commit

author	Noah Misch <noah@leadboat.com>
	Mon, 17 Feb 2014 14:33:31 +0000 (09:33 -0500)
committer	Noah Misch <noah@leadboat.com>
	Mon, 17 Feb 2014 14:33:32 +0000 (09:33 -0500)
commit	7a362a176a5c6621b58fb3897b2a4cb15b975810
tree	b6c052e2e69fe1424ee0e0868aa609fe2da28ebb	tree \| snapshot
parent	e4a4fa22352b062bc3548c91fa9bfc6caed7b073	commit \| diff

Predict integer overflow to avoid buffer overruns.

Several functions, mostly type input functions, calculated an allocation
size such that the calculation wrapped to a small positive value when
arguments implied a sufficiently-large requirement.  Writes past the end
of the inadvertent small allocation followed shortly thereafter.
Coverity identified the path_in() vulnerability; code inspection led to
the rest.  In passing, add check_stack_depth() to prevent stack overflow
in related functions.

Back-patch to 8.4 (all supported versions).  The non-comment hstore
changes touch code that did not exist in 8.4, so that part stops at 9.0.

Noah Misch and Heikki Linnakangas, reviewed by Tom Lane.

Security: CVE-2014-0064

contrib/hstore/hstore.h		diff \| blob \| history
contrib/hstore/hstore_io.c		diff \| blob \| history
contrib/hstore/hstore_op.c		diff \| blob \| history
contrib/intarray/_int.h		diff \| blob \| history
contrib/intarray/_int_bool.c		diff \| blob \| history
contrib/ltree/ltree.h		diff \| blob \| history
contrib/ltree/ltree_io.c		diff \| blob \| history
contrib/ltree/ltxtquery_io.c		diff \| blob \| history
src/backend/utils/adt/geo_ops.c		diff \| blob \| history
src/backend/utils/adt/tsquery.c		diff \| blob \| history
src/backend/utils/adt/tsquery_util.c		diff \| blob \| history
src/backend/utils/adt/txid.c		diff \| blob \| history
src/backend/utils/adt/varbit.c		diff \| blob \| history
src/include/tsearch/ts_type.h		diff \| blob \| history
src/include/utils/varbit.h		diff \| blob \| history