Predict integer overflow to avoid buffer overruns.
Noah Misch <noah@leadboat.com>
Predict integer overflow to avoid buffer overruns. Several functions, mostly type input functions, calculated an allocation size such that the calculation wrapped to a small positive value when arguments implied a sufficiently-large requirement. Writes past the end of the inadvertent small allocation followed shortly thereafter. Coverity identified the path_in() vulnerability; code inspection led to the rest. In passing, add check_stack_depth() to prevent stack overflow in related functions. Back-patch to 8.4 (all supported versions). The non-comment hstore changes touch code that did not exist in 8.4, so that part stops at 9.0. Noah Misch and Heikki Linnakangas, reviewed by Tom Lane. Security: CVE-2014-0064
Files
| Path | Change | +/− |
|---|---|---|
| contrib/hstore/hstore.h | modified | +12 −3 |
| contrib/hstore/hstore_io.c | modified | +21 −0 |
| contrib/hstore/hstore_op.c | modified | +15 −0 |
| contrib/intarray/_int_bool.c | modified | +9 −0 |
| contrib/intarray/_int.h | modified | +2 −0 |
| contrib/ltree/ltree.h | modified | +3 −0 |
| contrib/ltree/ltree_io.c | modified | +11 −0 |
| contrib/ltree/ltxtquery_io.c | modified | +12 −1 |
| src/backend/utils/adt/geo_ops.c | modified | +28 −2 |
| src/backend/utils/adt/tsquery.c | modified | +6 −1 |
| src/backend/utils/adt/tsquery_util.c | modified | +5 −0 |
| src/backend/utils/adt/txid.c | modified | +13 −10 |
| src/backend/utils/adt/varbit.c | modified | +30 −2 |
| src/include/tsearch/ts_type.h | modified | +3 −0 |
| src/include/utils/varbit.h | modified | +7 −0 |