diff --git a/src/backend/access/transam/xact.c b/src/backend/access/transam/xact.c index d85e313908..102d0e1574 100644 --- a/src/backend/access/transam/xact.c +++ b/src/backend/access/transam/xact.c @@ -3043,6 +3043,9 @@ CommitTransactionCommand(void) TransactionState s = CurrentTransactionState; SavedTransactionCharacteristics savetc; + /* since this function recurses, it could be driven to stack overflow */ + check_stack_depth(); + SaveTransactionCharacteristics(&savetc); switch (s->blockState) @@ -5500,6 +5503,9 @@ ShowTransactionStateRec(const char *str, TransactionState s) { StringInfoData buf; + /* since this function recurses, it could be driven to stack overflow */ + check_stack_depth(); + initStringInfo(&buf); if (s->nChildXids > 0) diff --git a/src/backend/catalog/dependency.c b/src/backend/catalog/dependency.c index 7acf654bf8..58a1d70b8a 100644 --- a/src/backend/catalog/dependency.c +++ b/src/backend/catalog/dependency.c @@ -76,6 +76,7 @@ #include "commands/trigger.h" #include "commands/typecmds.h" #include "funcapi.h" +#include "miscadmin.h" #include "nodes/nodeFuncs.h" #include "parser/parsetree.h" #include "rewrite/rewriteRemove.h" @@ -524,6 +525,11 @@ findDependentObjects(const ObjectAddress *object, if (stack_address_present_add_flags(object, objflags, stack)) return; + /* since this function recurses, it could be driven to stack overflow, + * because of the deep dependency tree, not only due to dependency loops. + */ + check_stack_depth(); + /* * It's also possible that the target object has already been completely * processed and put into targetObjects. If so, again we just add the diff --git a/src/backend/catalog/heap.c b/src/backend/catalog/heap.c index 4f006820b8..a88550913d 100644 --- a/src/backend/catalog/heap.c +++ b/src/backend/catalog/heap.c @@ -552,6 +552,9 @@ CheckAttributeType(const char *attname, char att_typtype = get_typtype(atttypid); Oid att_typelem; + /* since this function recurses, it could be driven to stack overflow */ + check_stack_depth(); + if (att_typtype == TYPTYPE_PSEUDO) { /* diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 7c697a285b..f22da79c65 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -6684,6 +6684,9 @@ ATExecAddColumn(List **wqueue, AlteredTableInfo *tab, Relation rel, TupleDesc tupdesc; FormData_pg_attribute *aattr[] = {&attribute}; + /* since this function recurses, it could be driven to stack overflow */ + check_stack_depth(); + /* At top level, permission check was done in ATPrepCmd, else do it */ if (recursing) ATSimplePermissions((*cmd)->subtype, rel, ATT_TABLE | ATT_FOREIGN_TABLE); @@ -8383,6 +8386,10 @@ ATExecDropColumn(List **wqueue, Relation rel, const char *colName, /* Initialize addrs on the first invocation */ Assert(!recursing || addrs != NULL); + + /* since this function recurses, it could be driven to stack overflow */ + check_stack_depth(); + if (!recursing) addrs = new_object_addresses(); @@ -10839,6 +10846,9 @@ ATExecAlterConstrRecurse(Constraint *cmdcon, Relation conrel, Relation tgrel, Oid refrelid; bool changed = false; + /* since this function recurses, it could be driven to stack overflow */ + check_stack_depth(); + currcon = (Form_pg_constraint) GETSTRUCT(contuple); conoid = currcon->oid; refrelid = currcon->confrelid; @@ -11839,6 +11849,9 @@ ATExecDropConstraint(Relation rel, const char *constrName, bool is_no_inherit_constraint = false; char contype; + /* since this function recurses, it could be driven to stack overflow */ + check_stack_depth(); + /* At top level, permission check was done in ATPrepCmd, else do it */ if (recursing) ATSimplePermissions(AT_DropConstraint, rel, ATT_TABLE | ATT_FOREIGN_TABLE); diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c index aa584848cf..77a5eb526c 100644 --- a/src/backend/optimizer/util/clauses.c +++ b/src/backend/optimizer/util/clauses.c @@ -2318,6 +2318,10 @@ static Node * eval_const_expressions_mutator(Node *node, eval_const_expressions_context *context) { + + /* since this function recurses, it could be driven to stack overflow */ + check_stack_depth(); + if (node == NULL) return NULL; switch (nodeTag(node)) diff --git a/src/backend/utils/adt/jsonpath_exec.c b/src/backend/utils/adt/jsonpath_exec.c index b561f0e7e8..dc7ab387ea 100644 --- a/src/backend/utils/adt/jsonpath_exec.c +++ b/src/backend/utils/adt/jsonpath_exec.c @@ -1232,6 +1232,9 @@ executeBoolItem(JsonPathExecContext *cxt, JsonPathItem *jsp, JsonPathBool res; JsonPathBool res2; + /* since this function recurses, it could be driven to stack overflow */ + check_stack_depth(); + if (!canHaveNext && jspHasNext(jsp)) elog(ERROR, "boolean jsonpath item cannot have next item"); diff --git a/src/backend/utils/mmgr/mcxt.c b/src/backend/utils/mmgr/mcxt.c index 0b00802df7..cc06c00a49 100644 --- a/src/backend/utils/mmgr/mcxt.c +++ b/src/backend/utils/mmgr/mcxt.c @@ -392,6 +392,9 @@ MemoryContextDelete(MemoryContext context) /* And not CurrentMemoryContext, either */ Assert(context != CurrentMemoryContext); + /* since this function recurses, it could be driven to stack overflow */ + check_stack_depth(); + /* save a function call in common case where there are no children */ if (context->firstchild != NULL) MemoryContextDeleteChildren(context); @@ -750,6 +753,9 @@ MemoryContextStatsInternal(MemoryContext context, int level, Assert(MemoryContextIsValid(context)); + /* since this function recurses, it could be driven to stack overflow */ + check_stack_depth(); + /* Examine the context itself */ context->methods->stats(context, print ? MemoryContextStatsPrint : NULL, @@ -915,6 +921,9 @@ MemoryContextCheck(MemoryContext context) Assert(MemoryContextIsValid(context)); + /* since this function recurses, it could be driven to stack overflow */ + check_stack_depth(); + context->methods->check(context); for (child = context->firstchild; child != NULL; child = child->nextchild) MemoryContextCheck(child);
Hello! In continuation of the topic I would like to suggest solution.
This patch adds several checks to the vulnerable functions above.