Tom Lane <[EMAIL PROTECTED]> writes: > Neil Conway <[EMAIL PROTECTED]> writes: > > + /* Check for integer overflow */ > > + if (tlen / slen != count) > > + elog(ERROR, "Requested buffer is too large."); > > What about slen == 0?
Good point -- that wouldn't cause incorrect results or a security problem, but it would reject input that we should really accept. Revised patch is attached. Cheers, Neil -- Neil Conway <[EMAIL PROTECTED]> || PGP Key ID: DB3C29FC
Index: src/backend/utils/adt/oracle_compat.c =================================================================== RCS file: /var/lib/cvs/pgsql-server/src/backend/utils/adt/oracle_compat.c,v retrieving revision 1.38 diff -c -r1.38 oracle_compat.c *** src/backend/utils/adt/oracle_compat.c 20 Jun 2002 20:51:45 -0000 1.38 --- src/backend/utils/adt/oracle_compat.c 20 Aug 2002 20:51:20 -0000 *************** *** 997,1002 **** --- 997,1006 ---- slen = (VARSIZE(string) - VARHDRSZ); tlen = (VARHDRSZ + (count * slen)); + /* Check for integer overflow */ + if (slen != 0 && count != 0 && tlen / slen != count) + elog(ERROR, "Requested buffer is too large."); + result = (text *) palloc(tlen); VARATT_SIZEP(result) = tlen;
---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
