git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Mon, 11 May 2026 12:13:49 +0000 (05:13 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 11 May 2026 12:13:49 +0000 (05:13 -0700)
commit	aff71f87ba78e8fe5fb266ecfce692f2e23a5d6a
tree	b294fe555a222b25caedf35ed35575110f9d5ee3	tree \| snapshot
parent	f20b840813f579062cc5de0a9a266dc8d5590fc7	commit \| diff

Fix assorted places that need to use palloc_array().

multirange_recv and BlockRefTableReaderNextRelation were incautious
about multiplying a possibly-large integer by a factor more than 1
and then using it as an allocation size.  This is harmless on 64-bit
systems where we'd compute a size exceeding MaxAllocSize and then
fail, but on 32-bit systems we could overflow size_t leading to an
undersized allocation and buffer overrun.

Fix these places by using palloc_array() instead of a handwritten
multiplication.  (In HEAD, some of them were fixed already, but
none of that work got back-patched at the time.)

In addition, BlockRefTableReaderNextRelation passes the same value
to BlockRefTableRead's "int length" parameter.  If built for
64-bit frontend code, palloc_array() allows a larger array size
than it otherwise would, potentially allowing that parameter to
overflow.  Add an explicit check to forestall that and keep the
behavior the same cross-platform.

Reported-by: Xint Code
Author: Tom Lane <tgl@sss.pgh.pa.us>
Backpatch-through: 14
Security: CVE-2026-6473