diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2018-02-05 10:37:30 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2018-02-05 10:37:30 -0500 |
| commit | 3492a0af0bd37e7f23e27fd3f5537f414ee9ab9b (patch) | |
| tree | 490de2a1f07c523b02d22e2c7d96c10082383925 /src/backend/utils/cache/relcache.c | |
| parent | 05d0f13f0701d84e4e6784da336aabcc2dfc8ade (diff) | |
| download | postgresql-3492a0af0bd37e7f23e27fd3f5537f414ee9ab9b.tar.gz postgresql-3492a0af0bd37e7f23e27fd3f5537f414ee9ab9b.zip | |
Fix RelationBuildPartitionKey's processing of partition key expressions.
Failure to advance the list pointer while reading partition expressions
from a list results in invoking an input function with inappropriate data,
possibly leading to crashes or, with carefully crafted input, disclosure
of arbitrary backend memory.
Bug discovered independently by Álvaro Herrera and David Rowley.
This patch is by Álvaro but owes something to David's proposed fix.
Back-patch to v10 where the issue was introduced.
Security: CVE-2018-1052
Diffstat (limited to 'src/backend/utils/cache/relcache.c')
| -rw-r--r-- | src/backend/utils/cache/relcache.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/backend/utils/cache/relcache.c b/src/backend/utils/cache/relcache.c index c081b88b733..d5cc246156b 100644 --- a/src/backend/utils/cache/relcache.c +++ b/src/backend/utils/cache/relcache.c @@ -983,9 +983,14 @@ RelationBuildPartitionKey(Relation relation) } else { + if (partexprs_item == NULL) + elog(ERROR, "wrong number of partition key expressions"); + key->parttypid[i] = exprType(lfirst(partexprs_item)); key->parttypmod[i] = exprTypmod(lfirst(partexprs_item)); key->parttypcoll[i] = exprCollation(lfirst(partexprs_item)); + + partexprs_item = lnext(partexprs_item); } get_typlenbyvalalign(key->parttypid[i], &key->parttyplen[i], |