Prevent overrunning a heap-allocated buffer if more than 1024 parameters

to a refcursor declaration are specified. This is a minimally-invasive fix
for the buffer overrun -- a more thorough cleanup will be checked into
HEAD.

diff --git a/src/pl/plpgsql/src/gram.y b/src/pl/plpgsql/src/gram.y
index 22bd1ef8fd7ef0a7dd70c8bf104d2651bfe92fb1..e630a9d9ebedf3af442d9c68e9ad47380a7f7318 100644 (file)
--- a/src/pl/plpgsql/src/gram.y
+++ b/src/pl/plpgsql/src/gram.y
@@ -4,7 +4,7 @@
  *                                               procedural language
  *
  * IDENTIFICATION
- *       $Header: /cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v 1.48 2003/10/30 17:18:55 tgl Exp $
+ *       $Header: /cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v 1.48.2.1 2005/01/21 00:31:21 neilc Exp $
  *
  *       This software is copyrighted by Jan Wieck - Hamburg.
  *
@@ -512,6 +512,10 @@ decl_cursor_arglist : decl_cursor_arg
                                        {
                                                int i = $1->nfields++;
 
+                                               /* Guard against overflowing the array on malicious input */
+                                               if (i >= 1024)
+                                                       yyerror("too many parameters specified for refcursor");
+
                                                $1->fieldnames[i] = $3->refname;
                                                $1->varnos[i] = $3->varno;