]> git.ipfire.org Git - thirdparty/postgresql.git/commitdiff
Propagate enlargeStringInfo() fixes into the equivalent code in
authorTom Lane <tgl@sss.pgh.pa.us>
Fri, 14 May 2004 00:20:51 +0000 (00:20 +0000)
committerTom Lane <tgl@sss.pgh.pa.us>
Fri, 14 May 2004 00:20:51 +0000 (00:20 +0000)
pqexpbuffer.c.  While a client-side failure doesn't seem like a
security issue, it's still a bug.

src/interfaces/libpq/pqexpbuffer.c

index 195f6cfd6b9bc9813d86210f8982219a007e2dd3..27b99a279ba62e110889e766b1d67496dc7a8853 100644 (file)
  * Portions Copyright (c) 1996-2003, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $Header: /cvsroot/pgsql/src/interfaces/libpq/pqexpbuffer.c,v 1.15 2003/08/04 02:40:20 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/interfaces/libpq/pqexpbuffer.c,v 1.15.4.1 2004/05/14 00:20:51 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
 
 #include "postgres_fe.h"
 
+#include <limits.h>
+
 #include "pqexpbuffer.h"
 
 #ifdef WIN32
@@ -132,7 +134,18 @@ enlargePQExpBuffer(PQExpBuffer str, size_t needed)
        size_t          newlen;
        char       *newdata;
 
+       /*
+        * Guard against ridiculous "needed" values, which can occur if we're
+        * fed bogus data.  Without this, we can get an overflow or infinite
+        * loop in the following.
+        */
+       if (needed >= ((size_t) INT_MAX - str->len))
+               return 0;
+
        needed += str->len + 1;         /* total space required now */
+
+       /* Because of the above test, we now have needed <= INT_MAX */
+
        if (needed <= str->maxlen)
                return 1;                               /* got enough space already */
 
@@ -146,6 +159,14 @@ enlargePQExpBuffer(PQExpBuffer str, size_t needed)
        while (needed > newlen)
                newlen = 2 * newlen;
 
+       /*
+        * Clamp to INT_MAX in case we went past it.  Note we are assuming
+        * here that INT_MAX <= UINT_MAX/2, else the above loop could
+        * overflow.  We will still have newlen >= needed.
+        */
+       if (newlen > (size_t) INT_MAX)
+               newlen = (size_t) INT_MAX;
+
        newdata = (char *) realloc(str->data, newlen);
        if (newdata != NULL)
        {