diff --git a/src/backend/utils/adt/multirangetypes.c b/src/backend/utils/adt/multirangetypes.c index 943961fe0ec..6aedf646c9b 100644 --- a/src/backend/utils/adt/multirangetypes.c +++ b/src/backend/utils/adt/multirangetypes.c @@ -340,7 +340,7 @@ multirange_recv(PG_FUNCTION_ARGS) Oid mltrngtypoid = PG_GETARG_OID(1); int32 typmod = PG_GETARG_INT32(2); MultirangeIOData *cache; - uint32 range_count; + int32 range_count; RangeType **ranges; MultirangeType *ret; StringInfoData tmpbuf; @@ -348,7 +348,8 @@ multirange_recv(PG_FUNCTION_ARGS) cache = get_multirange_io_data(fcinfo, mltrngtypoid, IOFunc_receive); range_count = pq_getmsgint(buf, 4); - ranges = palloc(range_count * sizeof(RangeType *)); + /* palloc_array will enforce a more-or-less-sane range_count value */ + ranges = palloc_array(RangeType *, range_count); initStringInfo(&tmpbuf); for (int i = 0; i < range_count; i++) @@ -835,7 +836,7 @@ multirange_deserialize(TypeCacheEntry *rangetyp, { int i; - *ranges = palloc(*range_count * sizeof(RangeType *)); + *ranges = palloc_array(RangeType *, *range_count); for (i = 0; i < *range_count; i++) (*ranges)[i] = multirange_get_range(rangetyp, multirange, i); } @@ -999,7 +1000,7 @@ multirange_constructor2(PG_FUNCTION_ARGS) deconstruct_array(rangeArray, rngtypid, rangetyp->typlen, rangetyp->typbyval, rangetyp->typalign, &elements, &nulls, &range_count); - ranges = palloc0(range_count * sizeof(RangeType *)); + ranges = palloc_array(RangeType *, range_count); for (i = 0; i < range_count; i++) { if (nulls[i]) diff --git a/src/common/blkreftable.c b/src/common/blkreftable.c index b935baf9ad4..5c85d6a5c6d 100644 --- a/src/common/blkreftable.c +++ b/src/common/blkreftable.c @@ -497,7 +497,7 @@ WriteBlockRefTable(BlockRefTable *brtab, /* Extract entries into serializable format and sort them. */ sdata = - palloc(brtab->hash->members * sizeof(BlockRefTableSerializedEntry)); + palloc_array(BlockRefTableSerializedEntry, brtab->hash->members); blockreftable_start_iterate(brtab->hash, &it); while ((brtentry = blockreftable_iterate(brtab->hash, &it)) != NULL) { @@ -657,10 +657,24 @@ BlockRefTableReaderNextRelation(BlockRefTableReader *reader, return false; } + /* + * Sanity-check the nchunks value. In the backend, palloc_array would + * enforce this anyway (with a more generic error message); but in + * frontend it would not, potentially allowing BlockRefTableRead's length + * parameter to overflow. + */ + if (sentry.nchunks > MaxAllocSize / sizeof(uint16)) + { + reader->error_callback(reader->error_callback_arg, + "file \"%s\" has oversized chunk size array", + reader->error_filename); + return false; + } + /* Read chunk size array. */ if (reader->chunk_size != NULL) pfree(reader->chunk_size); - reader->chunk_size = palloc(sentry.nchunks * sizeof(uint16)); + reader->chunk_size = palloc_array(uint16, sentry.nchunks); BlockRefTableRead(reader, reader->chunk_size, sentry.nchunks * sizeof(uint16)); @@ -997,10 +1011,9 @@ BlockRefTableEntryMarkBlockModified(BlockRefTableEntry *entry, if (entry->nchunks == 0) { - entry->chunk_size = palloc0(sizeof(uint16) * max_chunks); - entry->chunk_usage = palloc0(sizeof(uint16) * max_chunks); - entry->chunk_data = - palloc0(sizeof(BlockRefTableChunk) * max_chunks); + entry->chunk_size = palloc0_array(uint16, max_chunks); + entry->chunk_usage = palloc0_array(uint16, max_chunks); + entry->chunk_data = palloc0_array(BlockRefTableChunk, max_chunks); } else { @@ -1029,7 +1042,7 @@ BlockRefTableEntryMarkBlockModified(BlockRefTableEntry *entry, if (entry->chunk_size[chunkno] == 0) { entry->chunk_data[chunkno] = - palloc(sizeof(uint16) * INITIAL_ENTRIES_PER_CHUNK); + palloc_array(uint16, INITIAL_ENTRIES_PER_CHUNK); entry->chunk_size[chunkno] = INITIAL_ENTRIES_PER_CHUNK; entry->chunk_data[chunkno][0] = chunkoffset; entry->chunk_usage[chunkno] = 1;