From: Neil Conway <neilc@samurai.com>
Date: Mon, 7 Feb 2005 03:55:28 +0000 (+0000)
Subject: Prevent 4 more buffer overruns in the PL/PgSQL parser. This is just a
X-Git-Tag: REL7_4_8~38
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5c057d4b448249ad996e2f4c0c89f120e6270a51;p=thirdparty%2Fpostgresql.git

Prevent 4 more buffer overruns in the PL/PgSQL parser. This is just a
minimally-invasive fix for stable branches; a cleaner fix will be
committed to HEAD soon.
---

diff --git a/src/pl/plpgsql/src/gram.y b/src/pl/plpgsql/src/gram.y
index e630a9d9ebe..a7eb2b3fee9 100644
--- a/src/pl/plpgsql/src/gram.y
+++ b/src/pl/plpgsql/src/gram.y
@@ -4,7 +4,7 @@
  *						  procedural language
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v 1.48.2.1 2005/01/21 00:31:21 neilc Exp $
+ *	  $Header: /cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v 1.48.2.2 2005/02/07 03:55:28 neilc Exp $
  *
  *	  This software is copyrighted by Jan Wieck - Hamburg.
  *
@@ -1711,6 +1711,15 @@ read_sql_construct(int until,
 				plpgsql_dstring_append(&ds, yytext);
 				break;
 		}
+
+		/* Check for array overflow */
+		if (nparams >= 1024)
+		{
+			plpgsql_error_lineno = lno;
+			ereport(ERROR,
+					(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+					 errmsg("too many variables specified in SQL statement")));
+		}
 	}
 
 	expr = malloc(sizeof(PLpgSQL_expr) + sizeof(int) * nparams - sizeof(int));
@@ -1856,6 +1865,15 @@ make_select_stmt(void)
 
 					while ((tok = yylex()) == ',')
 					{
+						/* Check for array overflow */
+						if (nfields >= 1024)
+						{
+							plpgsql_error_lineno = plpgsql_scanner_lineno();
+							ereport(ERROR,
+									(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+									 errmsg("too many INTO variables specified")));
+						}
+
 						tok = yylex();
 						switch(tok)
 						{
@@ -1918,6 +1936,15 @@ make_select_stmt(void)
 				plpgsql_dstring_append(&ds, yytext);
 				break;
 		}
+
+		/* Check for array overflow */
+		if (nparams >= 1024)
+		{
+			plpgsql_error_lineno = plpgsql_scanner_lineno();
+			ereport(ERROR,
+					(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+					 errmsg("too many variables specified in SQL statement")));
+		}
 	}
 
 	expr = malloc(sizeof(PLpgSQL_expr) + sizeof(int) * nparams - sizeof(int));
@@ -1989,6 +2016,15 @@ make_fetch_stmt(void)
 
 				while ((tok = yylex()) == ',')
 				{
+					/* Check for array overflow */
+					if (nfields >= 1024)
+					{
+						plpgsql_error_lineno = plpgsql_scanner_lineno();
+						ereport(ERROR,
+								(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+								 errmsg("too many INTO variables specified")));
+					}
+
 					tok = yylex();
 					switch(tok)
 					{