diff options
| author | Bruce Momjian <bruce@momjian.us> | 2002-08-22 04:54:20 +0000 |
|---|---|---|
| committer | Bruce Momjian <bruce@momjian.us> | 2002-08-22 04:54:20 +0000 |
| commit | cbe733d7527058300f325d7b3f8fec4aa4ffe3de (patch) | |
| tree | 69656b33976c7cb015d653ea7a89802106559968 /src/backend/utils/adt/oracle_compat.c | |
| parent | c76f5aa53032790f5f464ad658c8f65595c12eca (diff) | |
| download | postgresql-cbe733d7527058300f325d7b3f8fec4aa4ffe3de.tar.gz postgresql-cbe733d7527058300f325d7b3f8fec4aa4ffe3de.zip | |
repeat() fix:
> Neil Conway <neilc@samurai.com> writes:
> > + /* Check for integer overflow */
> > + if (tlen / slen != count)
> > + elog(ERROR, "Requested buffer is too large.");
>
> What about slen == 0?
Good point -- that wouldn't cause incorrect results or a security
problem, but it would reject input that we should really accept.
Revised patch is attached.
Neil Conway
Diffstat (limited to 'src/backend/utils/adt/oracle_compat.c')
| -rw-r--r-- | src/backend/utils/adt/oracle_compat.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/backend/utils/adt/oracle_compat.c b/src/backend/utils/adt/oracle_compat.c index 7634e0cdaf9..dfeb18c551b 100644 --- a/src/backend/utils/adt/oracle_compat.c +++ b/src/backend/utils/adt/oracle_compat.c @@ -9,7 +9,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/utils/adt/oracle_compat.c,v 1.38 2002/06/20 20:51:45 momjian Exp $ + * $Header: /cvsroot/pgsql/src/backend/utils/adt/oracle_compat.c,v 1.39 2002/08/22 04:54:20 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -997,6 +997,10 @@ repeat(PG_FUNCTION_ARGS) slen = (VARSIZE(string) - VARHDRSZ); tlen = (VARHDRSZ + (count * slen)); + /* Check for integer overflow */ + if (slen != 0 && count != 0 && tlen / slen != count) + elog(ERROR, "Requested buffer is too large."); + result = (text *) palloc(tlen); VARATT_SIZEP(result) = tlen; |