Sir Mordred The Traitor <[EMAIL PROTECTED]> writes:
> Upon invoking a polygon(integer, circle) function a
> src/backend/utils/adt/geo_ops.c:circle_poly() function will gets
> called, which suffers from a buffer overflow.
>
> 2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a
> buffer overrun condition. It is called in multiple places, the most
> interesting are path_out() and poly_out() functions.
> 5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect
> a simple buffer overrun.
I've attached a patch which should fix these problems.
> 3) Upon converting a char string to a path object, a
> src/backend/utils/adt/geo_ops.c:path_in() function will gets called,
> which suffers from a buffer overrun, caused by a very long argument.
> 4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to
> detect a buffer overrun condition caused by a very long argument.
I wasn't able to reproduce either of these (wouldn't it require an
input string with several hundred thousand commas?), can you give me a
test-case?
Cheers,
Neil
--
Neil Conway <[EMAIL PROTECTED]> || PGP Key ID: DB3C29FC
Index: src/backend/utils/adt/geo_ops.c
===================================================================
RCS file: /var/lib/cvs/pgsql-server/src/backend/utils/adt/geo_ops.c,v
retrieving revision 1.63
diff -c -r1.63 geo_ops.c
*** src/backend/utils/adt/geo_ops.c 16 Jul 2002 03:30:27 -0000 1.63
--- src/backend/utils/adt/geo_ops.c 28 Aug 2002 19:07:01 -0000
***************
*** 269,279 ****
static char *
path_encode(bool closed, int npts, Point *pt)
{
! char *result = palloc(npts * (P_MAXLEN + 3) + 2);
!
char *cp;
int i;
cp = result;
switch (closed)
{
--- 269,285 ----
static char *
path_encode(bool closed, int npts, Point *pt)
{
! int size = npts * (P_MAXLEN + 3) + 2;
! char *result;
char *cp;
int i;
+ /* Check for integer overflow */
+ if ((size - 2) / npts != (P_MAXLEN + 3))
+ elog(ERROR, "Too many points requested");
+
+ result = palloc(size);
+
cp = result;
switch (closed)
{
***************
*** 1230,1236 ****
depth++;
}
! size = offsetof(PATH, p[0]) +sizeof(path->p[0]) * npts;
path = (PATH *) palloc(size);
path->size = size;
--- 1236,1242 ----
depth++;
}
! size = offsetof(PATH, p[0]) + sizeof(path->p[0]) * npts;
path = (PATH *) palloc(size);
path->size = size;
***************
*** 3596,3608 ****
PATH *p1 = PG_GETARG_PATH_P(0);
PATH *p2 = PG_GETARG_PATH_P(1);
PATH *result;
! int size;
int i;
if (p1->closed || p2->closed)
PG_RETURN_NULL();
! size = offsetof(PATH, p[0]) +sizeof(p1->p[0]) * (p1->npts + p2->npts);
result = (PATH *) palloc(size);
result->size = size;
--- 3602,3622 ----
PATH *p1 = PG_GETARG_PATH_P(0);
PATH *p2 = PG_GETARG_PATH_P(1);
PATH *result;
! int size,
! base_size;
int i;
if (p1->closed || p2->closed)
PG_RETURN_NULL();
! base_size = sizeof(p1->p[0]) * (p1->npts + p2->npts);
! size = offsetof(PATH, p[0]) + base_size;
!
! /* Check for integer overflow */
! if (base_size / sizeof(p1->p[0]) != (p1->npts + p2->npts) ||
! size <= base_size)
! elog(ERROR, "too many points requested.");
!
result = (PATH *) palloc(size);
result->size = size;
***************
*** 4413,4429 ****
int32 npts = PG_GETARG_INT32(0);
CIRCLE *circle = PG_GETARG_CIRCLE_P(1);
POLYGON *poly;
! int size;
int i;
double angle;
if (FPzero(circle->radius) || (npts < 2))
elog(ERROR, "Unable to convert circle to polygon");
! size = offsetof(POLYGON, p[0]) +(sizeof(poly->p[0]) * npts);
poly = (POLYGON *) palloc(size);
! MemSet((char *) poly, 0, size); /* zero any holes */
poly->size = size;
poly->npts = npts;
--- 4427,4450 ----
int32 npts = PG_GETARG_INT32(0);
CIRCLE *circle = PG_GETARG_CIRCLE_P(1);
POLYGON *poly;
! int base_size,
! size;
int i;
double angle;
if (FPzero(circle->radius) || (npts < 2))
elog(ERROR, "Unable to convert circle to polygon");
! base_size = sizeof(poly->p[0]) * npts;
! size = offsetof(POLYGON, p[0]) + base_size;
!
! /* Check for integer overflow */
! if (base_size / npts != sizeof(poly->p[0]) || size <= base_size)
! elog(ERROR, "too many points requested");
!
poly = (POLYGON *) palloc(size);
! MemSet(poly, 0, size); /* zero any holes */
poly->size = size;
poly->npts = npts;
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
http://archives.postgresql.org
