Sir Mordred The Traitor <[EMAIL PROTECTED]> writes: > Upon invoking a polygon(integer, circle) function a > src/backend/utils/adt/geo_ops.c:circle_poly() function will gets > called, which suffers from a buffer overflow. > > 2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a > buffer overrun condition. It is called in multiple places, the most > interesting are path_out() and poly_out() functions.
> 5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect > a simple buffer overrun. I've attached a patch which should fix these problems. > 3) Upon converting a char string to a path object, a > src/backend/utils/adt/geo_ops.c:path_in() function will gets called, > which suffers from a buffer overrun, caused by a very long argument. > 4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to > detect a buffer overrun condition caused by a very long argument. I wasn't able to reproduce either of these (wouldn't it require an input string with several hundred thousand commas?), can you give me a test-case? Cheers, Neil -- Neil Conway <[EMAIL PROTECTED]> || PGP Key ID: DB3C29FC
Index: src/backend/utils/adt/geo_ops.c =================================================================== RCS file: /var/lib/cvs/pgsql-server/src/backend/utils/adt/geo_ops.c,v retrieving revision 1.63 diff -c -r1.63 geo_ops.c *** src/backend/utils/adt/geo_ops.c 16 Jul 2002 03:30:27 -0000 1.63 --- src/backend/utils/adt/geo_ops.c 28 Aug 2002 19:07:01 -0000 *************** *** 269,279 **** static char * path_encode(bool closed, int npts, Point *pt) { ! char *result = palloc(npts * (P_MAXLEN + 3) + 2); ! char *cp; int i; cp = result; switch (closed) { --- 269,285 ---- static char * path_encode(bool closed, int npts, Point *pt) { ! int size = npts * (P_MAXLEN + 3) + 2; ! char *result; char *cp; int i; + /* Check for integer overflow */ + if ((size - 2) / npts != (P_MAXLEN + 3)) + elog(ERROR, "Too many points requested"); + + result = palloc(size); + cp = result; switch (closed) { *************** *** 1230,1236 **** depth++; } ! size = offsetof(PATH, p[0]) +sizeof(path->p[0]) * npts; path = (PATH *) palloc(size); path->size = size; --- 1236,1242 ---- depth++; } ! size = offsetof(PATH, p[0]) + sizeof(path->p[0]) * npts; path = (PATH *) palloc(size); path->size = size; *************** *** 3596,3608 **** PATH *p1 = PG_GETARG_PATH_P(0); PATH *p2 = PG_GETARG_PATH_P(1); PATH *result; ! int size; int i; if (p1->closed || p2->closed) PG_RETURN_NULL(); ! size = offsetof(PATH, p[0]) +sizeof(p1->p[0]) * (p1->npts + p2->npts); result = (PATH *) palloc(size); result->size = size; --- 3602,3622 ---- PATH *p1 = PG_GETARG_PATH_P(0); PATH *p2 = PG_GETARG_PATH_P(1); PATH *result; ! int size, ! base_size; int i; if (p1->closed || p2->closed) PG_RETURN_NULL(); ! base_size = sizeof(p1->p[0]) * (p1->npts + p2->npts); ! size = offsetof(PATH, p[0]) + base_size; ! ! /* Check for integer overflow */ ! if (base_size / sizeof(p1->p[0]) != (p1->npts + p2->npts) || ! size <= base_size) ! elog(ERROR, "too many points requested."); ! result = (PATH *) palloc(size); result->size = size; *************** *** 4413,4429 **** int32 npts = PG_GETARG_INT32(0); CIRCLE *circle = PG_GETARG_CIRCLE_P(1); POLYGON *poly; ! int size; int i; double angle; if (FPzero(circle->radius) || (npts < 2)) elog(ERROR, "Unable to convert circle to polygon"); ! size = offsetof(POLYGON, p[0]) +(sizeof(poly->p[0]) * npts); poly = (POLYGON *) palloc(size); ! MemSet((char *) poly, 0, size); /* zero any holes */ poly->size = size; poly->npts = npts; --- 4427,4450 ---- int32 npts = PG_GETARG_INT32(0); CIRCLE *circle = PG_GETARG_CIRCLE_P(1); POLYGON *poly; ! int base_size, ! size; int i; double angle; if (FPzero(circle->radius) || (npts < 2)) elog(ERROR, "Unable to convert circle to polygon"); ! base_size = sizeof(poly->p[0]) * npts; ! size = offsetof(POLYGON, p[0]) + base_size; ! ! /* Check for integer overflow */ ! if (base_size / npts != sizeof(poly->p[0]) || size <= base_size) ! elog(ERROR, "too many points requested"); ! poly = (POLYGON *) palloc(size); ! MemSet(poly, 0, size); /* zero any holes */ poly->size = size; poly->npts = npts;
---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives? http://archives.postgresql.org