Tom Lane <[EMAIL PROTECTED]> writes:
> Vince Vielhaber <[EMAIL PROTECTED]> writes:
> > Here's yet another. He claims malicious code can be run on the server
> > with this one.
>
> regression=# select repeat('xxx',1431655765);
> server closed the connection unexpectedly
>
> This is probably caused by integer overflow in calculating the size of
> the repeat's result buffer. It'd take some considerable doing to create
> an arbitrary-code exploit, but perhaps could be done. Anyone want to
> investigate a patch?
This seems to fix the problem:
nconway=# select repeat('xxx',1431655765);
ERROR: Requested buffer is too large.
It uses the logic you suggested. Just a quick and dirty fix, I may
have missed something... The patch applies cleanly to both CVS HEAD
and the 7.2 stable branch.
Cheers,
Neil
--
Neil Conway <[EMAIL PROTECTED]> || PGP Key ID: DB3C29FC
Index: src/backend/utils/adt/oracle_compat.c
===================================================================
RCS file: /var/lib/cvs/pgsql-server/src/backend/utils/adt/oracle_compat.c,v
retrieving revision 1.38
diff -c -r1.38 oracle_compat.c
*** src/backend/utils/adt/oracle_compat.c 20 Jun 2002 20:51:45 -0000 1.38
--- src/backend/utils/adt/oracle_compat.c 20 Aug 2002 20:27:21 -0000
***************
*** 997,1002 ****
--- 997,1006 ----
slen = (VARSIZE(string) - VARHDRSZ);
tlen = (VARHDRSZ + (count * slen));
+ /* Check for integer overflow */
+ if (tlen / slen != count)
+ elog(ERROR, "Requested buffer is too large.");
+
result = (text *) palloc(tlen);
VARATT_SIZEP(result) = tlen;
---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster
