diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2008-05-29 22:02:44 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2008-05-29 22:02:44 +0000 |
| commit | 02ac30540540b99c9d4b05bff23e04b9de6c50dc (patch) | |
| tree | b574ba490b126cd01cc88bacecd4c1f8a20d54c6 /src/interfaces/libpq/fe-protocol3.c | |
| parent | 5914140a3b04cfa0a37c0efcfe7378e1b562e60e (diff) | |
| download | postgresql-02ac30540540b99c9d4b05bff23e04b9de6c50dc.tar.gz | |
Tweak libpq to avoid crashing due to incorrect buffer size calculation when
we are on a 64-bit machine (ie, size_t is wider than int) and someone passes
in a query string that approaches or exceeds INT_MAX bytes. Also, just for
paranoia's sake, guard against similar overflows in sizing the input buffer.
The backend will not in the foreseeable future be prepared to send or receive
strings exceeding 1GB, so I didn't take the more invasive step of switching
all the buffer index variables from int to size_t; though someday we might
want to do that.
I have a suspicion that this is not the only such bug in libpq, but this
fix is enough to take care of the crash reported by Francisco Reyes.
Diffstat (limited to 'src/interfaces/libpq/fe-protocol3.c')
| -rw-r--r-- | src/interfaces/libpq/fe-protocol3.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/src/interfaces/libpq/fe-protocol3.c b/src/interfaces/libpq/fe-protocol3.c index 89c0d5018f..66059493bb 100644 --- a/src/interfaces/libpq/fe-protocol3.c +++ b/src/interfaces/libpq/fe-protocol3.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/interfaces/libpq/fe-protocol3.c,v 1.34 2008/01/17 21:21:50 tgl Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/fe-protocol3.c,v 1.35 2008/05/29 22:02:44 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -115,7 +115,8 @@ pqParseInput3(PGconn *conn) * recovery strategy if we are unable to make the buffer big * enough. */ - if (pqCheckInBufferSpace(conn->inCursor + msgLength, conn)) + if (pqCheckInBufferSpace(conn->inCursor + (size_t) msgLength, + conn)) { /* * XXX add some better recovery code... plan is to skip over @@ -1310,7 +1311,8 @@ getCopyDataMessage(PGconn *conn) * Before returning, enlarge the input buffer if needed to hold * the whole message. See notes in parseInput. */ - if (pqCheckInBufferSpace(conn->inCursor + msgLength - 4, conn)) + if (pqCheckInBufferSpace(conn->inCursor + (size_t) msgLength - 4, + conn)) { /* * XXX add some better recovery code... plan is to skip over @@ -1745,7 +1747,8 @@ pqFunctionCall3(PGconn *conn, Oid fnid, * Before looping, enlarge the input buffer if needed to hold the * whole message. See notes in parseInput. */ - if (pqCheckInBufferSpace(conn->inCursor + msgLength, conn)) + if (pqCheckInBufferSpace(conn->inCursor + (size_t) msgLength, + conn)) { /* * XXX add some better recovery code... plan is to skip over |