Fix assorted places that need to use palloc_array().
Tom Lane <tgl@sss.pgh.pa.us>
Author:
Tom Lane <tgl@sss.pgh.pa.us>
Committer:
Noah Misch <noah@leadboat.com>
Date: 2026-05-11T12:13:47Z
Releases:
18.4
Fix assorted places that need to use palloc_array(). multirange_recv and BlockRefTableReaderNextRelation were incautious about multiplying a possibly-large integer by a factor more than 1 and then using it as an allocation size. This is harmless on 64-bit systems where we'd compute a size exceeding MaxAllocSize and then fail, but on 32-bit systems we could overflow size_t leading to an undersized allocation and buffer overrun. Fix these places by using palloc_array() instead of a handwritten multiplication. (In HEAD, some of them were fixed already, but none of that work got back-patched at the time.) In addition, BlockRefTableReaderNextRelation passes the same value to BlockRefTableRead's "int length" parameter. If built for 64-bit frontend code, palloc_array() allows a larger array size than it otherwise would, potentially allowing that parameter to overflow. Add an explicit check to forestall that and keep the behavior the same cross-platform. Reported-by: Xint Code Author: Tom Lane <tgl@sss.pgh.pa.us> Backpatch-through: 14 Security: CVE-2026-6473
Files
| Path | Change | +/− |
|---|---|---|
| src/backend/utils/adt/multirangetypes.c | modified | +5 −4 |
| src/common/blkreftable.c | modified | +20 −7 |