upstream/postgresql
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2026-05-21 17:58:48 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
postgresql/src
History
Tom Lane f3cee4dc43 Harden our regex engine against integer overflow in size calculations. 
The number of NFA states, number of NFA arcs, and number of colors
are all bounded to reasonably small values.  However, there are
places where we try to allocate arrays sized by products of those
quantities, and those calculations could overflow, enabling
buffer-overrun attacks.  In practice there's no problem on 64-bit
machines, but there are some live scenarios on 32-bit machines.

A related problem is that citerdissect() and creviterdissect()
allocate arrays based on the length of the input string, which
potentially could overflow.

To fix, invent MALLOC_ARRAY and REALLOC_ARRAY macros that rely on
palloc_array_extended and repalloc_array_extended with the NO_OOM
option, similarly to the existing MALLOC and REALLOC macros.
(Like those, they'll throw an error not return a NULL result for
oversize requests.  This doesn't really fit into the regex code's
view of error handling, but it'll do for now.  We can consider
whether to change that behavior in a non-security follow-up patch.)

I installed similar defenses in the colormap construction code.
It's not entirely clear whether integer overflow is possible
there, but analyzing the behavior in detail seems not worth
the trouble, as the risky spots are not in hot code paths.

I left a bunch of calls as-is after verifying that they can't
overflow given reasonable limits on nstates and narcs.  Those
limits were enforced already via REG_MAX_COMPILE_SPACE, but
add commentary to document the interactions.

In passing, also fix a related edge case, which is that the
special color numbers used in LACON carcs could overflow the
"color" data type, if ncolors is close to MAX_COLOR.

In v14 and v15, the regex engine calls malloc() directly instead
of using palloc(), so MALLOC_ARRAY and REALLOC_ARRAY do likewise.

Reported-by: Xint Code
Author: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Masahiko Sawada <sawada.mshk@gmail.com>
Backpatch-through: 14
Security: CVE-2026-6473
2026-05-11 05:13:47 -07:00
..
backend Harden our regex engine against integer overflow in size calculations. 2026-05-11 05:13:47 -07:00
bin Translation updates 2026-05-11 13:03:08 +02:00
common Make palloc_array() and friends safe against integer overflow. 2026-05-11 05:13:47 -07:00
fe_utils Harden astreamer tar parsing logic against archives it can't handle. 2026-04-02 12:20:26 -04:00
include Harden our regex engine against integer overflow in size calculations. 2026-05-11 05:13:47 -07:00
interfaces Add pg_add_size_overflow() and friends 2026-05-11 05:13:47 -07:00
makefiles pgxs.mk: remove unreachable rule for deleting regress.def. 2025-06-20 12:12:29 -04:00
pl Make plpgsql_trap test more robust and less resource-intensive. 2026-04-21 10:54:39 -04:00
port Suppress "has no symbols" linker warnings on macOS. 2026-04-29 12:25:09 -05:00
template thread-safety: gmtime_r(), localtime_r() 2024-08-23 07:43:04 +02:00
test Fix overflows with ts_headline() 2026-05-11 05:13:47 -07:00
timezone Update time zone data files to tzdata release 2026b. 2026-04-24 12:28:35 -04:00
tools Consider opfamily and collation when removing redundant GROUP BY columns 2026-05-08 12:47:26 +09:00
tutorial Doc: simplify the tutorial's window-function examples. 2025-01-21 14:43:21 -05:00
.gitignore
DEVELOPERS
Makefile Remove distprep 2023-11-06 15:18:04 +01:00
Makefile.global.in Don't put library-supplied -L/-I switches before user-supplied ones. 2025-07-29 15:17:40 -04:00
Makefile.shlib Use exported symbols list on macOS for loadable modules as well 2025-06-10 07:04:43 +02:00
meson.build Update copyright for 2025 2025-01-01 11:21:55 -05:00
nls-global.mk Fix update-po for the PGXS case 2025-10-16 20:21:05 +02:00