Fix assorted places that need to use palloc_array().

multirange_recv and BlockRefTableReaderNextRelation were incautious
about multiplying a possibly-large integer by a factor more than 1
and then using it as an allocation size.  This is harmless on 64-bit
systems where we'd compute a size exceeding MaxAllocSize and then
fail, but on 32-bit systems we could overflow size_t leading to an
undersized allocation and buffer overrun.

Fix these places by using palloc_array() instead of a handwritten
multiplication.  (In HEAD, some of them were fixed already, but
none of that work got back-patched at the time.)

In addition, BlockRefTableReaderNextRelation passes the same value
to BlockRefTableRead's "int length" parameter.  If built for
64-bit frontend code, palloc_array() allows a larger array size
than it otherwise would, potentially allowing that parameter to
overflow.  Add an explicit check to forestall that and keep the
behavior the same cross-platform.

Reported-by: Xint Code
Author: Tom Lane <tgl@sss.pgh.pa.us>
Backpatch-through: 14
Security: CVE-2026-6473

diff --git a/src/backend/utils/adt/multirangetypes.c b/src/backend/utils/adt/multirangetypes.c
index 9d682be73f6421d67d1c7c0215f6aee967b90d97..7f14f7e683c5220013b66927c693c0761f90b392 100644 (file)
--- a/src/backend/utils/adt/multirangetypes.c
+++ b/src/backend/utils/adt/multirangetypes.c
@@ -340,7 +340,7 @@ multirange_recv(PG_FUNCTION_ARGS)
        Oid                     mltrngtypoid = PG_GETARG_OID(1);
        int32           typmod = PG_GETARG_INT32(2);
        MultirangeIOData *cache;
-       uint32          range_count;
+       int32           range_count;
        RangeType **ranges;
        MultirangeType *ret;
        StringInfoData tmpbuf;
@@ -348,7 +348,8 @@ multirange_recv(PG_FUNCTION_ARGS)
        cache = get_multirange_io_data(fcinfo, mltrngtypoid, IOFunc_receive);
 
        range_count = pq_getmsgint(buf, 4);
-       ranges = palloc(range_count * sizeof(RangeType *));
+       /* palloc_array will enforce a more-or-less-sane range_count value */
+       ranges = palloc_array(RangeType *, range_count);
 
        initStringInfo(&tmpbuf);
        for (int i = 0; i < range_count; i++)
@@ -835,7 +836,7 @@ multirange_deserialize(TypeCacheEntry *rangetyp,
        {
                int                     i;
 
-               *ranges = palloc(*range_count * sizeof(RangeType *));
+               *ranges = palloc_array(RangeType *, *range_count);
                for (i = 0; i < *range_count; i++)
                        (*ranges)[i] = multirange_get_range(rangetyp, multirange, i);
        }
@@ -999,7 +1000,7 @@ multirange_constructor2(PG_FUNCTION_ARGS)
                deconstruct_array(rangeArray, rngtypid, rangetyp->typlen, rangetyp->typbyval,
                                                  rangetyp->typalign, &elements, &nulls, &range_count);
 
-               ranges = palloc0(range_count * sizeof(RangeType *));
+               ranges = palloc_array(RangeType *, range_count);
                for (i = 0; i < range_count; i++)
                {
                        if (nulls[i])

diff --git a/src/common/blkreftable.c b/src/common/blkreftable.c
index 845b5d1dc46ed2cf07d583212ad4e4a09163b9fe..c16ef736f003b1623cbdcdd426f4f2d64be085b9 100644 (file)
--- a/src/common/blkreftable.c
+++ b/src/common/blkreftable.c
@@ -497,7 +497,7 @@ WriteBlockRefTable(BlockRefTable *brtab,
 
                /* Extract entries into serializable format and sort them. */
                sdata =
-                       palloc(brtab->hash->members * sizeof(BlockRefTableSerializedEntry));
+                       palloc_array(BlockRefTableSerializedEntry, brtab->hash->members);
                blockreftable_start_iterate(brtab->hash, &it);
                while ((brtentry = blockreftable_iterate(brtab->hash, &it)) != NULL)
                {
@@ -657,10 +657,24 @@ BlockRefTableReaderNextRelation(BlockRefTableReader *reader,
                return false;
        }
 
+       /*
+        * Sanity-check the nchunks value.  In the backend, palloc_array would
+        * enforce this anyway (with a more generic error message); but in
+        * frontend it would not, potentially allowing BlockRefTableRead's length
+        * parameter to overflow.
+        */
+       if (sentry.nchunks > MaxAllocSize / sizeof(uint16))
+       {
+               reader->error_callback(reader->error_callback_arg,
+                                                          "file \"%s\" has oversized chunk size array",
+                                                          reader->error_filename);
+               return false;
+       }
+
        /* Read chunk size array. */
        if (reader->chunk_size != NULL)
                pfree(reader->chunk_size);
-       reader->chunk_size = palloc(sentry.nchunks * sizeof(uint16));
+       reader->chunk_size = palloc_array(uint16, sentry.nchunks);
        BlockRefTableRead(reader, reader->chunk_size,
                                          sentry.nchunks * sizeof(uint16));
 
@@ -997,10 +1011,9 @@ BlockRefTableEntryMarkBlockModified(BlockRefTableEntry *entry,
 
                if (entry->nchunks == 0)
                {
-                       entry->chunk_size = palloc0(sizeof(uint16) * max_chunks);
-                       entry->chunk_usage = palloc0(sizeof(uint16) * max_chunks);
-                       entry->chunk_data =
-                               palloc0(sizeof(BlockRefTableChunk) * max_chunks);
+                       entry->chunk_size = palloc0_array(uint16, max_chunks);
+                       entry->chunk_usage = palloc0_array(uint16, max_chunks);
+                       entry->chunk_data = palloc0_array(BlockRefTableChunk, max_chunks);
                }
                else
                {
@@ -1029,7 +1042,7 @@ BlockRefTableEntryMarkBlockModified(BlockRefTableEntry *entry,
        if (entry->chunk_size[chunkno] == 0)
        {
                entry->chunk_data[chunkno] =
-                       palloc(sizeof(uint16) * INITIAL_ENTRIES_PER_CHUNK);
+                       palloc_array(uint16, INITIAL_ENTRIES_PER_CHUNK);
                entry->chunk_size[chunkno] = INITIAL_ENTRIES_PER_CHUNK;
                entry->chunk_data[chunkno][0] = chunkoffset;
                entry->chunk_usage[chunkno] = 1;