Guard against overflow in "left" fields of query_int and ltxtquery.

contrib/intarray's query_int type uses an int16 field to hold the
offset from a binary operator node to its left operand.  However, it
allows the number of nodes to be as much as will fit in MaxAllocSize,
so there is a risk of overflowing int16 depending on the precise shape
of the tree.  Simple right-associative cases like "a | b | c | ..."
work fine, so we should not solve this by restricting the overall
number of nodes.  Instead add a direct test of whether each individual
offset is too large.

contrib/ltree's ltxtquery type uses essentially the same logic and
has the same 16-bit restriction.

(The core backend's tsquery.c has a variant of this logic too, but
in that case the target field is 32 bits, so it is okay so long
as varlena datums are restricted to 1GB.)

In v16 and up, these types support soft error reporting, so we have
to complicate the recursive findoprnd function's API a bit to allow
the complaint to be reported softly.  v14/v15 don't need that.

Undocumented and overcomplicated code like this makes my head hurt,
so add some comments and simplify while at it.

Reported-by: Xint Code
Author: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Michael Paquier <michael@paquier.xyz>
Backpatch-through: 14
Security: CVE-2026-6473

diff --git a/contrib/intarray/_int_bool.c b/contrib/intarray/_int_bool.c
index f45df86d60c3830a74cb63ff4e122dd1a5a97b6d..4382f882939aa70834d1ca4b05ffcb002add8b6f 100644 (file)
--- a/contrib/intarray/_int_bool.c
+++ b/contrib/intarray/_int_bool.c
@@ -434,37 +434,77 @@ boolop(PG_FUNCTION_ARGS)
        PG_RETURN_BOOL(result);
 }
 
-static void
-findoprnd(ITEM *ptr, int32 *pos)
+/*
+ * Recursively fill the "left" fields of an ITEM array that represents
+ * a valid postfix tree.
+ *
+ *     state: only needed for error reporting
+ *     ptr: starting element of array
+ *     pos: in/out argument, the array index this call is responsible to fill
+ *
+ * At exit, *pos has been decremented to point before the sub-tree whose
+ * top is the entry-time value of *pos.
+ *
+ * Returns true if okay, false if error (the only possible error is
+ * overflow of a "left" field).
+ */
+static bool
+findoprnd(WORKSTATE *state, ITEM *ptr, int32 *pos)
 {
+       int32           mypos;
+
        /* since this function recurses, it could be driven to stack overflow. */
        check_stack_depth();
 
+       /* get the position this call is supposed to update */
+       mypos = *pos;
+       Assert(mypos >= 0);
+
+       /* in all cases, we should decrement *pos to advance over this item */
+       (*pos)--;
+
 #ifdef BS_DEBUG
-       elog(DEBUG3, (ptr[*pos].type == OPR) ?
-                "%d  %c" : "%d  %d", *pos, ptr[*pos].val);
+       elog(DEBUG3, (ptr[mypos].type == OPR) ?
+                "%d  %c" : "%d  %d", mypos, ptr[mypos].val);
 #endif
-       if (ptr[*pos].type == VAL)
+
+       if (ptr[mypos].type == VAL)
        {
-               ptr[*pos].left = 0;
-               (*pos)--;
+               /* base case: a VAL has no operand, so just set its left to zero */
+               ptr[mypos].left = 0;
        }
-       else if (ptr[*pos].val == (int32) '!')
+       else if (ptr[mypos].val == (int32) '!')
        {
-               ptr[*pos].left = -1;
-               (*pos)--;
-               findoprnd(ptr, pos);
+               /* unary operator, likewise easy: operand is just before it */
+               ptr[mypos].left = -1;
+               /* recurse to scan operand */
+               if (!findoprnd(state, ptr, pos))
+                       return false;
        }
        else
        {
-               ITEM       *curitem = &ptr[*pos];
-               int32           tmp = *pos;
+               /* binary operator */
+               int32           delta;
 
-               (*pos)--;
-               findoprnd(ptr, pos);
-               curitem->left = *pos - tmp;
-               findoprnd(ptr, pos);
+               /* recurse to scan right operand */
+               if (!findoprnd(state, ptr, pos))
+                       return false;
+               /* we must fill left with offset to left operand's top */
+               /* abs(delta) < QUERYTYPEMAXITEMS, so it can't overflow ... */
+               delta = *pos - mypos;
+               /* ... but it might be too large to fit in the 16-bit left field */
+               Assert(delta < 0);
+               if (unlikely(delta < PG_INT16_MIN))
+                       ereturn(state->escontext, false,
+                                       (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+                                        errmsg("query_int expression is too complex")));
+               ptr[mypos].left = (int16) delta;
+               /* recurse to scan left operand */
+               if (!findoprnd(state, ptr, pos))
+                       return false;
        }
+
+       return true;
 }
 
 
@@ -515,6 +555,7 @@ bqarr_in(PG_FUNCTION_ARGS)
        query->size = state.num;
        ptr = GETQUERY(query);
 
+       /* fill the query array from the data makepol constructed */
        for (i = state.num - 1; i >= 0; i--)
        {
                ptr[i].type = state.str->type;
@@ -524,8 +565,13 @@ bqarr_in(PG_FUNCTION_ARGS)
                state.str = tmp;
        }
 
+       /* now fill the "left" fields */
        pos = query->size - 1;
-       findoprnd(ptr, &pos);
+       if (!findoprnd(&state, ptr, &pos))
+               PG_RETURN_NULL();
+       /* if successful, findoprnd should have scanned the whole array */
+       Assert(pos == -1);
+
 #ifdef BS_DEBUG
        initStringInfo(&pbuf);
        for (i = 0; i < query->size; i++)

diff --git a/contrib/intarray/expected/_int.out b/contrib/intarray/expected/_int.out
index d0e68d0447fb73d931fe2c89b301b53440094af2..1700dc5a89dc301908d4ec9bb12ec1e0525b6622 100644 (file)
--- a/contrib/intarray/expected/_int.out
+++ b/contrib/intarray/expected/_int.out
@@ -398,6 +398,9 @@ SELECT '1&(2&(4&(5|!6)))'::query_int;
  1 & 2 & 4 & ( 5 | !6 )
 (1 row)
 
+SELECT (SELECT '0 | ' || string_agg(i::text, ' & ')
+        FROM generate_series(1, 17000) AS i)::query_int;
+ERROR:  query_int expression is too complex
 -- test non-error-throwing input
 SELECT str as "query_int",
        pg_input_is_valid(str,'query_int') as ok,

diff --git a/contrib/intarray/sql/_int.sql b/contrib/intarray/sql/_int.sql
index 5668ab40704539b7e5598fe4584d3af6344228e3..47f751a1769abdbcef9a23efbd4287de06bddc0c 100644 (file)
--- a/contrib/intarray/sql/_int.sql
+++ b/contrib/intarray/sql/_int.sql
@@ -74,6 +74,8 @@ SELECT '1&(2&(4&(5&6)))'::query_int;
 SELECT '1&2&4&5&6'::query_int;
 SELECT '1&(2&(4&(5|6)))'::query_int;
 SELECT '1&(2&(4&(5|!6)))'::query_int;
+SELECT (SELECT '0 | ' || string_agg(i::text, ' & ')
+        FROM generate_series(1, 17000) AS i)::query_int;
 
 -- test non-error-throwing input
 

diff --git a/contrib/ltree/expected/ltree.out b/contrib/ltree/expected/ltree.out
index 53ddf6ca330aae2cdb15de7fb08f45cf8594b605..fffd3e37cb21d3e07176976bd28540b84b64cd26 100644 (file)
--- a/contrib/ltree/expected/ltree.out
+++ b/contrib/ltree/expected/ltree.out
@@ -1283,6 +1283,9 @@ SELECT 'tree.awdfg_qwerty'::ltree @ 'tree & aw_rw%*'::ltxtquery;
  f
 (1 row)
 
+SELECT (SELECT 'a | ' || string_agg('b', ' & ')
+        FROM generate_series(1, 17000) AS i)::ltxtquery;
+ERROR:  ltxtquery is too large
 --arrays
 SELECT '{1.2.3}'::ltree[] @> '1.2.3.4';
  ?column? 

diff --git a/contrib/ltree/ltxtquery_io.c b/contrib/ltree/ltxtquery_io.c
index f4296880c035a484a46fd723245bfedb5edf2a96..b1354b9227c1a63e5f799fdca033a1776ddc9a1f 100644 (file)
--- a/contrib/ltree/ltxtquery_io.c
+++ b/contrib/ltree/ltxtquery_io.c
@@ -294,33 +294,71 @@ makepol(QPRS_STATE *state)
        return END;
 }
 
-static void
-findoprnd(ITEM *ptr, int32 *pos)
+/*
+ * Recursively fill the "left" fields of an ITEM array that represents
+ * a valid postfix tree.
+ *
+ *     state: only needed for error reporting
+ *     ptr: starting element of array
+ *     pos: in/out argument, the array index this call is responsible to fill
+ *
+ * At exit, *pos has been incremented to point after the sub-tree whose
+ * top is the entry-time value of *pos.
+ *
+ * Returns true if okay, false if error (the only possible error is
+ * overflow of a "left" field).
+ */
+static bool
+findoprnd(QPRS_STATE *state, ITEM *ptr, int32 *pos)
 {
+       int32           mypos;
+
        /* since this function recurses, it could be driven to stack overflow. */
        check_stack_depth();
 
-       if (ptr[*pos].type == VAL || ptr[*pos].type == VALTRUE)
+       /* get the position this call is supposed to update */
+       mypos = *pos;
+
+       /* in all cases, we should increment *pos to advance over this item */
+       (*pos)++;
+
+       if (ptr[mypos].type == VAL || ptr[mypos].type == VALTRUE)
        {
-               ptr[*pos].left = 0;
-               (*pos)++;
+               /* base case: a VAL has no operand, so just set its left to zero */
+               ptr[mypos].left = 0;
        }
-       else if (ptr[*pos].val == (int32) '!')
+       else if (ptr[mypos].val == (int32) '!')
        {
-               ptr[*pos].left = 1;
-               (*pos)++;
-               findoprnd(ptr, pos);
+               /* unary operator, likewise easy: operand is just after it */
+               ptr[mypos].left = 1;
+               /* recurse to scan operand */
+               if (!findoprnd(state, ptr, pos))
+                       return false;
        }
        else
        {
-               ITEM       *curitem = &ptr[*pos];
-               int32           tmp = *pos;
-
-               (*pos)++;
-               findoprnd(ptr, pos);
-               curitem->left = *pos - tmp;
-               findoprnd(ptr, pos);
+               /* binary operator */
+               int32           delta;
+
+               /* recurse to scan right operand */
+               if (!findoprnd(state, ptr, pos))
+                       return false;
+               /* we must fill left with offset to left operand's top */
+               /* delta can't overflow, see LTXTQUERY_TOO_BIG ... */
+               delta = *pos - mypos;
+               /* ... but it might be too large to fit in the 16-bit left field */
+               Assert(delta > 0);
+               if (unlikely(delta > PG_INT16_MAX))
+                       ereturn(state->escontext, false,
+                                       (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+                                        errmsg("ltxtquery is too large")));
+               ptr[mypos].left = (int16) delta;
+               /* recurse to scan left operand */
+               if (!findoprnd(state, ptr, pos))
+                       return false;
        }
+
+       return true;
 }
 
 
@@ -391,7 +429,10 @@ queryin(char *buf, struct Node *escontext)
 
        /* set left operand's position for every operator */
        pos = 0;
-       findoprnd(ptr, &pos);
+       if (!findoprnd(&state, ptr, &pos))
+               return NULL;
+       /* if successful, findoprnd should have scanned the whole array */
+       Assert(pos == state.num);
 
        return query;
 }

diff --git a/contrib/ltree/sql/ltree.sql b/contrib/ltree/sql/ltree.sql
index fb3cca163a203028ca1f03e03c2a3485c50b41f2..2a6ab0de1bd8cd1d99cf1f330ac02bd7c3880535 100644 (file)
--- a/contrib/ltree/sql/ltree.sql
+++ b/contrib/ltree/sql/ltree.sql
@@ -253,6 +253,9 @@ SELECT 'tree.awdfg'::ltree @ 'tree & aWdfg@'::ltxtquery;
 SELECT 'tree.awdfg_qwerty'::ltree @ 'tree & aw_qw%*'::ltxtquery;
 SELECT 'tree.awdfg_qwerty'::ltree @ 'tree & aw_rw%*'::ltxtquery;
 
+SELECT (SELECT 'a | ' || string_agg('b', ' & ')
+        FROM generate_series(1, 17000) AS i)::ltxtquery;
+
 --arrays
 
 SELECT '{1.2.3}'::ltree[] @> '1.2.3.4';