From: Bruce Momjian <bruce@momjian.us>
Date: Thu, 22 Aug 2002 04:54:20 +0000 (+0000)
Subject: repeat() fix:
X-Git-Tag: REL7_3~822
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cbe733d7527058300f325d7b3f8fec4aa4ffe3de;p=thirdparty%2Fpostgresql.git

repeat() fix:

> Neil Conway <neilc@samurai.com> writes:
> > +   /* Check for integer overflow */
> > +   if (tlen / slen != count)
> > +           elog(ERROR, "Requested buffer is too large.");
>
> What about slen == 0?

Good point -- that wouldn't cause incorrect results or a security
problem, but it would reject input that we should really accept.

Revised patch is attached.

Neil Conway
---

diff --git a/src/backend/utils/adt/oracle_compat.c b/src/backend/utils/adt/oracle_compat.c
index 7634e0cdaf9..dfeb18c551b 100644
--- a/src/backend/utils/adt/oracle_compat.c
+++ b/src/backend/utils/adt/oracle_compat.c
@@ -9,7 +9,7 @@
  *
  *
  * IDENTIFICATION
- *	$Header: /cvsroot/pgsql/src/backend/utils/adt/oracle_compat.c,v 1.38 2002/06/20 20:51:45 momjian Exp $
+ *	$Header: /cvsroot/pgsql/src/backend/utils/adt/oracle_compat.c,v 1.39 2002/08/22 04:54:20 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -997,6 +997,10 @@ repeat(PG_FUNCTION_ARGS)
 	slen = (VARSIZE(string) - VARHDRSZ);
 	tlen = (VARHDRSZ + (count * slen));
 
+	/* Check for integer overflow */
+	if (slen != 0 && count != 0 && tlen / slen != count)
+		elog(ERROR, "Requested buffer is too large.");
+
 	result = (text *) palloc(tlen);
 
 	VARATT_SIZEP(result) = tlen;