The lquery parser in contrib/ltree/ had two overflow problems:
- A single lquery level with many OR-separated variants (e.g.,
'label1|label2|...'), could cause an overflow of totallen, this being
stored as a uint16, meaning a maximum value of UINT16_MAX or 65k. Each
variant contributes MAXALIGN(LVAR_HDRSIZE + len) bytes. With enough
long variants, the value would wraparound. This would corrupt the data
written by LQL_NEXT(), leading to a stack corruption, most likely
translating into a crash, but it would allow incorrect memory access.
- numvar, labelled as a uint16, counts the number of OR-variants in a
single level, and it is incremented without bounds checking. With more
than PG_UINT16_MAX (65k) variants in a single level, and a minimum of
131kB of input data, it would wrap to 0. When a (wildcard) '*' is
used, this would change the query results silently.
For both issues, a set of overflows checks are added to guard against
these problematic patterns.
The first issue has been reported by the three people listed below,
affecting v16 and newer versions due to
b1665bf01e5f. Its coding was
still unsafe in v14 and v15. The second issue affects all the stable
branches; I have bumped into while reviewing the code of the module.
Reported-by: Vergissmeinnicht <vergissmeinnichtzh@gmail.com>
Reported-by: A1ex <alex000young@gmail.com>
Reported-by: Jihe Wang <wangjihe.mail@gmail.com>
Author: Michael Paquier <michael@paquier.xyz>
Security: CVE-2026-6473
Backpatch-through: 14
!tree & aWdf@* | ltxtquery | t | | | |
(8 rows)
+-- Test for overflow of lquery_level.totallen, based on an lquery level with
+-- many OR-variants.
+SELECT (repeat('x', 1000) || repeat('|' || repeat('x', 1000), 65))::lquery;
+ERROR: lquery level is too large
+DETAIL: Total size of level exceeds the maximum allowed (65535 bytes).
+-- Test for overflow of lquery_level.numvar, with a set of single-char
+-- variants in one level.
+SELECT (repeat('a|', 65535) || 'a')::lquery;
+ERROR: lquery level has too many variants
+DETAIL: Number of variants exceeds the maximum allowed (65535).
#include <ctype.h>
+#include "common/int.h"
#include "crc32.h"
#include "libpq/pqformat.h"
#include "ltree.h"
lptr++;
lptr->start = ptr;
state = LQPRS_WAITDELIM;
- curqlevel->numvar++;
+ if (pg_add_u16_overflow(curqlevel->numvar, 1, &curqlevel->numvar))
+ ereturn(escontext, NULL,
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+ errmsg("lquery level has too many variants"),
+ errdetail("Number of variants exceeds the maximum allowed (%d).",
+ PG_UINT16_MAX)));
}
else
UNCHAR;
lptr = GETVAR(curqlevel);
while (lptr - GETVAR(curqlevel) < curqlevel->numvar)
{
- cur->totallen += MAXALIGN(LVAR_HDRSIZE + lptr->len);
+ int newlen = cur->totallen + MAXALIGN(LVAR_HDRSIZE + lptr->len);
+
+ if (newlen > PG_UINT16_MAX)
+ ereturn(escontext, NULL,
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+ errmsg("lquery level is too large"),
+ errdetail("Total size of level exceeds the maximum allowed (%d bytes).",
+ PG_UINT16_MAX)));
+ cur->totallen = (uint16) newlen;
+
lrptr->len = lptr->len;
lrptr->flag = lptr->flag;
lrptr->val = ltree_crc32_sz(lptr->start, lptr->len);
('!tree & aWdf@*','ltxtquery'))
AS a(str,typ),
LATERAL pg_input_error_info(a.str, a.typ) as errinfo;
+
+-- Test for overflow of lquery_level.totallen, based on an lquery level with
+-- many OR-variants.
+SELECT (repeat('x', 1000) || repeat('|' || repeat('x', 1000), 65))::lquery;
+
+-- Test for overflow of lquery_level.numvar, with a set of single-char
+-- variants in one level.
+SELECT (repeat('a|', 65535) || 'a')::lquery;
projects / thirdparty / postgresql.git / commitdiff
