mirror of
https://github.com/postgres/postgres.git
synced 2026-05-21 17:58:48 -04:00
Fix assorted places that need to use palloc_array().
multirange_recv and BlockRefTableReaderNextRelation were incautious about multiplying a possibly-large integer by a factor more than 1 and then using it as an allocation size. This is harmless on 64-bit systems where we'd compute a size exceeding MaxAllocSize and then fail, but on 32-bit systems we could overflow size_t leading to an undersized allocation and buffer overrun. Fix these places by using palloc_array() instead of a handwritten multiplication. (In HEAD, some of them were fixed already, but none of that work got back-patched at the time.) In addition, BlockRefTableReaderNextRelation passes the same value to BlockRefTableRead's "int length" parameter. If built for 64-bit frontend code, palloc_array() allows a larger array size than it otherwise would, potentially allowing that parameter to overflow. Add an explicit check to forestall that and keep the behavior the same cross-platform. Reported-by: Xint Code Author: Tom Lane <tgl@sss.pgh.pa.us> Backpatch-through: 14 Security: CVE-2026-6473
This commit is contained in:
Tom Lane
Noah Misch
parent
ebcfa7867f
commit
01b5ef7df0
2 changed files with 25 additions and 11 deletions
|
|
@ -340,7 +340,7 @@ multirange_recv(PG_FUNCTION_ARGS)
|
|||
Oid mltrngtypoid = PG_GETARG_OID(1);
|
||||
int32 typmod = PG_GETARG_INT32(2);
|
||||
MultirangeIOData *cache;
|
||||
uint32 range_count;
|
||||
int32 range_count;
|
||||
RangeType **ranges;
|
||||
MultirangeType *ret;
|
||||
StringInfoData tmpbuf;
|
||||
|
|
@ -348,7 +348,8 @@ multirange_recv(PG_FUNCTION_ARGS)
|
|||
cache = get_multirange_io_data(fcinfo, mltrngtypoid, IOFunc_receive);
|
||||
|
||||
range_count = pq_getmsgint(buf, 4);
|
||||
ranges = palloc(range_count * sizeof(RangeType *));
|
||||
/* palloc_array will enforce a more-or-less-sane range_count value */
|
||||
ranges = palloc_array(RangeType *, range_count);
|
||||
|
||||
initStringInfo(&tmpbuf);
|
||||
for (int i = 0; i < range_count; i++)
|
||||
|
|
@ -835,7 +836,7 @@ multirange_deserialize(TypeCacheEntry *rangetyp,
|
|||
{
|
||||
int i;
|
||||
|
||||
*ranges = palloc(*range_count * sizeof(RangeType *));
|
||||
*ranges = palloc_array(RangeType *, *range_count);
|
||||
for (i = 0; i < *range_count; i++)
|
||||
(*ranges)[i] = multirange_get_range(rangetyp, multirange, i);
|
||||
}
|
||||
|
|
@ -999,7 +1000,7 @@ multirange_constructor2(PG_FUNCTION_ARGS)
|
|||
deconstruct_array(rangeArray, rngtypid, rangetyp->typlen, rangetyp->typbyval,
|
||||
rangetyp->typalign, &elements, &nulls, &range_count);
|
||||
|
||||
ranges = palloc0(range_count * sizeof(RangeType *));
|
||||
ranges = palloc_array(RangeType *, range_count);
|
||||
for (i = 0; i < range_count; i++)
|
||||
{
|
||||
if (nulls[i])
|
||||
|
|
|
|||
|
|
@ -497,7 +497,7 @@ WriteBlockRefTable(BlockRefTable *brtab,
|
|||
|
||||
/* Extract entries into serializable format and sort them. */
|
||||
sdata =
|
||||
palloc(brtab->hash->members * sizeof(BlockRefTableSerializedEntry));
|
||||
palloc_array(BlockRefTableSerializedEntry, brtab->hash->members);
|
||||
blockreftable_start_iterate(brtab->hash, &it);
|
||||
while ((brtentry = blockreftable_iterate(brtab->hash, &it)) != NULL)
|
||||
{
|
||||
|
|
@ -657,10 +657,24 @@ BlockRefTableReaderNextRelation(BlockRefTableReader *reader,
|
|||
return false;
|
||||
}
|
||||
|
||||
/*
|
||||
* Sanity-check the nchunks value. In the backend, palloc_array would
|
||||
* enforce this anyway (with a more generic error message); but in
|
||||
* frontend it would not, potentially allowing BlockRefTableRead's length
|
||||
* parameter to overflow.
|
||||
*/
|
||||
if (sentry.nchunks > MaxAllocSize / sizeof(uint16))
|
||||
{
|
||||
reader->error_callback(reader->error_callback_arg,
|
||||
"file \"%s\" has oversized chunk size array",
|
||||
reader->error_filename);
|
||||
return false;
|
||||
}
|
||||
|
||||
/* Read chunk size array. */
|
||||
if (reader->chunk_size != NULL)
|
||||
pfree(reader->chunk_size);
|
||||
reader->chunk_size = palloc(sentry.nchunks * sizeof(uint16));
|
||||
reader->chunk_size = palloc_array(uint16, sentry.nchunks);
|
||||
BlockRefTableRead(reader, reader->chunk_size,
|
||||
sentry.nchunks * sizeof(uint16));
|
||||
|
||||
|
|
@ -997,10 +1011,9 @@ BlockRefTableEntryMarkBlockModified(BlockRefTableEntry *entry,
|
|||
|
||||
if (entry->nchunks == 0)
|
||||
{
|
||||
entry->chunk_size = palloc0(sizeof(uint16) * max_chunks);
|
||||
entry->chunk_usage = palloc0(sizeof(uint16) * max_chunks);
|
||||
entry->chunk_data =
|
||||
palloc0(sizeof(BlockRefTableChunk) * max_chunks);
|
||||
entry->chunk_size = palloc0_array(uint16, max_chunks);
|
||||
entry->chunk_usage = palloc0_array(uint16, max_chunks);
|
||||
entry->chunk_data = palloc0_array(BlockRefTableChunk, max_chunks);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
@ -1029,7 +1042,7 @@ BlockRefTableEntryMarkBlockModified(BlockRefTableEntry *entry,
|
|||
if (entry->chunk_size[chunkno] == 0)
|
||||
{
|
||||
entry->chunk_data[chunkno] =
|
||||
palloc(sizeof(uint16) * INITIAL_ENTRIES_PER_CHUNK);
|
||||
palloc_array(uint16, INITIAL_ENTRIES_PER_CHUNK);
|
||||
entry->chunk_size[chunkno] = INITIAL_ENTRIES_PER_CHUNK;
|
||||
entry->chunk_data[chunkno][0] = chunkoffset;
|
||||
entry->chunk_usage[chunkno] = 1;
|
||||
|
|
|
|||
Loading…
Reference in a new issue