Prevent overrunning a heap-allocated buffer is more than 1024 parameters

to a refcursor declaration are specified. This is a minimally-invasive fix
for the buffer overrun -- a more thorough cleanup will be checked into
HEAD.

diff --git a/src/pl/plpgsql/src/gram.y b/src/pl/plpgsql/src/gram.y
index c1d0f6c90ab3f0fc5205119967eece2ced0b3b44..908fd364a9be9d7e8a39d6ebf670e6810d08cbf2 100644 (file)
--- a/src/pl/plpgsql/src/gram.y
+++ b/src/pl/plpgsql/src/gram.y
@@ -4,7 +4,7 @@
  *                                               procedural language
  *
  * IDENTIFICATION
- *       $PostgreSQL: pgsql/src/pl/plpgsql/src/gram.y,v 1.64 2004/10/25 06:27:21 neilc Exp $
+ *       $PostgreSQL: pgsql/src/pl/plpgsql/src/gram.y,v 1.64.4.1 2005/01/21 00:17:02 neilc Exp $
  *
  *       This software is copyrighted by Jan Wieck - Hamburg.
  *
@@ -474,6 +474,10 @@ decl_cursor_arglist : decl_cursor_arg
                                        {
                                                int i = $1->nfields++;
 
+                                               /* Guard against overflowing the array on malicious input */
+                                               if (i >= 1024)
+                                                       yyerror("too many parameters specified for refcursor");
+
                                                $1->fieldnames[i] = $3->refname;
                                                $1->varnos[i] = $3->dno;