Prevent 4 more buffer overruns in the PL/PgSQL parser. This is just a

minimally-invasive fix for stable branches; a cleaner fix will be
committed to HEAD soon.

diff --git a/src/pl/plpgsql/src/gram.y b/src/pl/plpgsql/src/gram.y
index 908fd364a9be9d7e8a39d6ebf670e6810d08cbf2..a080e53adec724b0a38ea933cbc2c7e1cb3c7c7f 100644 (file)
--- a/src/pl/plpgsql/src/gram.y
+++ b/src/pl/plpgsql/src/gram.y
@@ -4,7 +4,7 @@
  *                                               procedural language
  *
  * IDENTIFICATION
- *       $PostgreSQL: pgsql/src/pl/plpgsql/src/gram.y,v 1.64.4.1 2005/01/21 00:17:02 neilc Exp $
+ *       $PostgreSQL: pgsql/src/pl/plpgsql/src/gram.y,v 1.64.4.2 2005/02/07 03:52:22 neilc Exp $
  *
  *       This software is copyrighted by Jan Wieck - Hamburg.
  *
@@ -1792,6 +1792,15 @@ read_sql_construct(int until,
                                plpgsql_dstring_append(&ds, yytext);
                                break;
                }
+
+               /* Check for array overflow */
+               if (nparams >= 1024)
+               {
+                       plpgsql_error_lineno = lno;
+                       ereport(ERROR,
+                                       (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+                                        errmsg("too many variables specified in SQL statement")));
+               }
        }
 
        if (endtoken)
@@ -1940,6 +1949,15 @@ make_select_stmt(void)
 
                                        while ((tok = yylex()) == ',')
                                        {
+                                               /* Check for array overflow */
+                                               if (nfields >= 1024)
+                                               {
+                                                       plpgsql_error_lineno = plpgsql_scanner_lineno();
+                                                       ereport(ERROR,
+                                                                       (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+                                                                        errmsg("too many INTO variables specified")));
+                                               }
+
                                                tok = yylex();
                                                switch(tok)
                                                {
@@ -2014,6 +2032,15 @@ make_select_stmt(void)
                                plpgsql_dstring_append(&ds, yytext);
                                break;
                }
+
+               /* Check for array overflow */
+               if (nparams >= 1024)
+               {
+                       plpgsql_error_lineno = plpgsql_scanner_lineno();
+                       ereport(ERROR,
+                                       (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+                                        errmsg("too many variables specified in SQL statement")));
+               }
        }
 
        expr = malloc(sizeof(PLpgSQL_expr) + sizeof(int) * nparams - sizeof(int));
@@ -2085,6 +2112,15 @@ make_fetch_stmt(void)
 
                                while ((tok = yylex()) == ',')
                                {
+                                       /* Check for array overflow */
+                                       if (nfields >= 1024)
+                                       {
+                                               plpgsql_error_lineno = plpgsql_scanner_lineno();
+                                               ereport(ERROR,
+                                                               (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+                                                                errmsg("too many INTO variables specified")));
+                                       }
+
                                        tok = yylex();
                                        switch(tok)
                                        {