From 9581e2699f6379e29151b0bef04ca45a06f5afe0 Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Mon, 5 Oct 2015 10:06:29 -0400 Subject: [PATCH] Prevent stack overflow in container-type functions. A range type can name another range type as its subtype, and a record type can bear a column of another record type. Consequently, functions like range_cmp() and record_recv() are recursive. Functions at risk include operator family members and referents of pg_type regproc columns. Treat as recursive any such function that looks up and calls the same-purpose function for a record column type or the range subtype. Back-patch to 9.0 (all supported versions). An array type's element type is never itself an array type, so array functions are unaffected. Recursion depth proportional to array dimensionality, found in array_dim_to_jsonb(), is fine thanks to MAXDIM. --- src/backend/utils/adt/rowtypes.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/backend/utils/adt/rowtypes.c b/src/backend/utils/adt/rowtypes.c index 7e7c33fbe4..b4bd4b2066 100644 --- a/src/backend/utils/adt/rowtypes.c +++ b/src/backend/utils/adt/rowtypes.c @@ -19,6 +19,7 @@ #include "catalog/pg_type.h" #include "funcapi.h" #include "libpq/pqformat.h" +#include "miscadmin.h" #include "utils/builtins.h" #include "utils/lsyscache.h" #include "utils/typcache.h" @@ -84,6 +85,8 @@ record_in(PG_FUNCTION_ARGS) bool *nulls; StringInfoData buf; + check_stack_depth(); /* recurses for record-type columns */ + /* * Give a friendly error message if we did not get enough info to identify * the target record type. (lookup_rowtype_tupdesc would fail anyway, but @@ -307,6 +310,8 @@ record_out(PG_FUNCTION_ARGS) bool *nulls; StringInfoData buf; + check_stack_depth(); /* recurses for record-type columns */ + /* Extract type info from the tuple itself */ tupType = HeapTupleHeaderGetTypeId(rec); tupTypmod = HeapTupleHeaderGetTypMod(rec); @@ -470,6 +475,8 @@ record_recv(PG_FUNCTION_ARGS) Datum *values; bool *nulls; + check_stack_depth(); /* recurses for record-type columns */ + /* * Give a friendly error message if we did not get enough info to identify * the target record type. (lookup_rowtype_tupdesc would fail anyway, but @@ -662,6 +669,8 @@ record_send(PG_FUNCTION_ARGS) bool *nulls; StringInfoData buf; + check_stack_depth(); /* recurses for record-type columns */ + /* Extract type info from the tuple itself */ tupType = HeapTupleHeaderGetTypeId(rec); tupTypmod = HeapTupleHeaderGetTypMod(rec); @@ -821,6 +830,8 @@ record_cmp(FunctionCallInfo fcinfo) int i2; int j; + check_stack_depth(); /* recurses for record-type columns */ + /* Extract type info from the tuples */ tupType1 = HeapTupleHeaderGetTypeId(record1); tupTypmod1 = HeapTupleHeaderGetTypMod(record1); @@ -1056,6 +1067,8 @@ record_eq(PG_FUNCTION_ARGS) int i2; int j; + check_stack_depth(); /* recurses for record-type columns */ + /* Extract type info from the tuples */ tupType1 = HeapTupleHeaderGetTypeId(record1); tupTypmod1 = HeapTupleHeaderGetTypMod(record1); -- 2.40.0